---
title: Global Mesh Options
description: Configuration affecting the service mesh as a whole.
location: https://istio.io/docs/reference/config/istio.mesh.v1alpha1.html
layout: protoc-gen-docs
generator: protoc-gen-docs
weight: 20
number_of_entries: 67
---
<p>Configuration affecting the service mesh as a whole.</p>

<h2 id="MeshConfig">MeshConfig</h2>
<section>
<p>MeshConfig defines mesh-wide settings for the Istio service mesh.</p>

<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="MeshConfig-proxy_listen_port">
<td><code>proxyListenPort</code></td>
<td><code>int32</code></td>
<td>
<p>Port on which Envoy should listen for all outbound traffic to other services.
Default port is 15001.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-proxy_inbound_listen_port">
<td><code>proxyInboundListenPort</code></td>
<td><code>int32</code></td>
<td>
<p>Port on which Envoy should listen for all inbound traffic to the pod/vm will be captured to.
Default port is 15006.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-proxy_http_port">
<td><code>proxyHttpPort</code></td>
<td><code>int32</code></td>
<td>
<p>Port on which Envoy should listen for HTTP PROXY requests if set.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-connect_timeout">
<td><code>connectTimeout</code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">Duration</a></code></td>
<td>
<p>Connection timeout used by Envoy. (MUST BE &gt;=1ms)
Default timeout is 10s.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-protocol_detection_timeout">
<td><code>protocolDetectionTimeout</code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">Duration</a></code></td>
<td>
<p>Automatic protocol detection uses a set of heuristics to
determine whether the connection is using TLS or not (on the
server side), as well as the application protocol being used
(e.g., http vs tcp). These heuristics rely on the client sending
the first bits of data. For server first protocols like MySQL,
MongoDB, etc. Envoy will timeout on the protocol detection after
the specified period, defaulting to non mTLS plain TCP
traffic. Set this field to tweak the period that Envoy will wait
for the client to send the first bits of data. (MUST BE &gt;=1ms or
0s to disable). Default detection timeout is 0s (no timeout).</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-tcp_keepalive">
<td><code>tcpKeepalive</code></td>
<td><code><a href="https://istio.io/docs/reference/config/networking/destination-rule.html#ConnectionPoolSettings-TCPSettings-TcpKeepalive">TcpKeepalive</a></code></td>
<td>
<p>If set then set <code>SO_KEEPALIVE</code> on the socket to enable TCP Keepalives.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ingress_class">
<td><code>ingressClass</code></td>
<td><code>string</code></td>
<td>
<p>Class of ingress resources to be processed by Istio ingress
controller. This corresponds to the value of
<code>kubernetes.io/ingress.class</code> annotation.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ingress_service">
<td><code>ingressService</code></td>
<td><code>string</code></td>
<td>
<p>Name of the Kubernetes service used for the istio ingress controller.
If no ingress controller is specified, the default value <code>istio-ingressgateway</code> is used.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ingress_controller_mode">
<td><code>ingressControllerMode</code></td>
<td><code><a href="#MeshConfig-IngressControllerMode">IngressControllerMode</a></code></td>
<td>
<p>Defines whether to use Istio ingress controller for annotated or all ingress resources.
Default mode is <code>STRICT</code>.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ingress_selector">
<td><code>ingressSelector</code></td>
<td><code>string</code></td>
<td>
<p>Defines which gateway deployment to use as the Ingress controller. This field corresponds to
the Gateway.selector field, and will be set as <code>istio: INGRESS_SELECTOR</code>.
By default, <code>ingressgateway</code> is used, which will select the default IngressGateway as it has the
<code>istio: ingressgateway</code> labels.
It is recommended that this is the same value as ingress_service.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-enable_tracing">
<td><code>enableTracing</code></td>
<td><code>bool</code></td>
<td>
<p>Flag to control generation of trace spans and request IDs.
Requires a trace span collector defined in the proxy configuration.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-access_log_file">
<td><code>accessLogFile</code></td>
<td><code>string</code></td>
<td>
<p>File address for the proxy access log (e.g. /dev/stdout).
Empty value disables access logging.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-access_log_format">
<td><code>accessLogFormat</code></td>
<td><code>string</code></td>
<td>
<p>Format for the proxy access log
Empty value results in proxy&rsquo;s default access log format</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-access_log_encoding">
<td><code>accessLogEncoding</code></td>
<td><code><a href="#MeshConfig-AccessLogEncoding">AccessLogEncoding</a></code></td>
<td>
<p>Encoding for the proxy access log (<code>TEXT</code> or <code>JSON</code>).
Default value is <code>TEXT</code>.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-enable_envoy_access_log_service">
<td><code>enableEnvoyAccessLogService</code></td>
<td><code>bool</code></td>
<td>
<p>This flag enables Envoy&rsquo;s gRPC Access Log Service.
See <a href="https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/grpc/v3/als.proto">Access Log Service</a>
for details about Envoy&rsquo;s gRPC Access Log Service API.
Default value is <code>false</code>.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-disable_envoy_listener_log">
<td><code>disableEnvoyListenerLog</code></td>
<td><code>bool</code></td>
<td>
<p>This flag disables Envoy Listener logs.
See <a href="https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-access-log">Listener Access Log</a>
Istio Enables Envoy&rsquo;s listener access logs on &ldquo;NoRoute&rdquo; response flag.
Default value is <code>false</code>.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-default_config">
<td><code>defaultConfig</code></td>
<td><code><a href="#ProxyConfig">ProxyConfig</a></code></td>
<td>
<p>Default proxy config used by gateway and sidecars.
In case of Kubernetes, the proxy config is applied once during the injection process,
and remain constant for the duration of the pod. The rest of the mesh config can be changed
at runtime and config gets distributed dynamically.
On Kubernetes, this can be overridden on individual pods with the <code>proxy.istio.io/config</code> annotation.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-outbound_traffic_policy">
<td><code>outboundTrafficPolicy</code></td>
<td><code><a href="#MeshConfig-OutboundTrafficPolicy">OutboundTrafficPolicy</a></code></td>
<td>
<p>Set the default behavior of the sidecar for handling outbound
traffic from the application.  If your application uses one or
more external services that are not known apriori, setting the
policy to <code>ALLOW_ANY</code> will cause the sidecars to route any unknown
traffic originating from the application to its requested
destination. Users are strongly encouraged to use ServiceEntries
to explicitly declare any external dependencies, instead of using
<code>ALLOW_ANY</code>, so that traffic to these services can be
monitored. Can be overridden at a Sidecar level by setting the
<code>OutboundTrafficPolicy</code> in the <a href="https://istio.io/docs/reference/config/networking/sidecar/#OutboundTrafficPolicy">Sidecar
API</a>.
Default mode is <code>ALLOW_ANY</code> which means outbound traffic to unknown destinations will be allowed.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-config_sources">
<td><code>configSources</code></td>
<td><code><a href="#ConfigSource">ConfigSource[]</a></code></td>
<td>
<p>ConfigSource describes a source of configuration data for networking
rules, and other Istio configuration artifacts. Multiple data sources
can be configured for a single control plane.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-enable_auto_mtls">
<td><code>enableAutoMtls</code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue">BoolValue</a></code></td>
<td>
<p>This flag is used to enable mutual <code>TLS</code> automatically for service to service communication
within the mesh, default true.
If set to true, and a given service does not have a corresponding <code>DestinationRule</code> configured,
or its <code>DestinationRule</code> does not have ClientTLSSettings specified, Istio configures client side
TLS configuration appropriately. More specifically,
If the upstream authentication policy is in <code>STRICT</code> mode, use Istio provisioned certificate
for mutual <code>TLS</code> to connect to upstream.
If upstream service is in plain text mode, use plain text.
If the upstream authentication policy is in PERMISSIVE mode, Istio configures clients to use
mutual <code>TLS</code> when server sides are capable of accepting mutual <code>TLS</code> traffic.
If service <code>DestinationRule</code> exists and has <code>ClientTLSSettings</code> specified, that is always used instead.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-trust_domain">
<td><code>trustDomain</code></td>
<td><code>string</code></td>
<td>
<p>The trust domain corresponds to the trust root of a system.
Refer to <a href="https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain">SPIFFE-ID</a></p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-trust_domain_aliases">
<td><code>trustDomainAliases</code></td>
<td><code>string[]</code></td>
<td>
<p>The trust domain aliases represent the aliases of <code>trust_domain</code>.
For example, if we have</p>
<pre><code class="language-yaml">trustDomain: td1
trustDomainAliases: [&quot;td2&quot;, &quot;td3&quot;]
</code></pre>
<p>Any service with the identity <code>td1/ns/foo/sa/a-service-account</code>, <code>td2/ns/foo/sa/a-service-account</code>,
or <code>td3/ns/foo/sa/a-service-account</code> will be treated the same in the Istio mesh.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ca_certificates">
<td><code>caCertificates</code></td>
<td><code><a href="#MeshConfig-CertificateData">CertificateData[]</a></code></td>
<td>
<p>The extra root certificates for workload-to-workload communication.
The plugin certificates (the &lsquo;cacerts&rsquo; secret) or self-signed certificates (the &lsquo;istio-ca-secret&rsquo; secret)
are automatically added by Istiod.
The CA certificate that signs the workload certificates is automatically added by Istio Agent.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-default_service_export_to">
<td><code>defaultServiceExportTo</code></td>
<td><code>string[]</code></td>
<td>
<p>The default value for the ServiceEntry.export_to field and services
imported through container registry integrations, e.g. this applies to
Kubernetes Service resources. The value is a list of namespace names and
reserved namespace aliases. The allowed namespace aliases are:</p>
<pre><code>* - All Namespaces
. - Current Namespace
~ - No Namespace
</code></pre>
<p>If not set the system will use &ldquo;*&rdquo; as the default value which implies that
services are exported to all namespaces.</p>
<p><code>All namespaces</code> is a reasonable default for implementations that don&rsquo;t
need to restrict access or visibility of services across namespace
boundaries. If that requirement is present it is generally good practice to
make the default <code>Current namespace</code> so that services are only visible
within their own namespaces by default. Operators can then expand the
visibility of services to other namespaces as needed. Use of <code>No Namespace</code>
is expected to be rare but can have utility for deployments where
dependency management needs to be precise even within the scope of a single
namespace.</p>
<p>For further discussion see the reference documentation for <code>ServiceEntry</code>,
<code>Sidecar</code>, and <code>Gateway</code>.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-default_virtual_service_export_to">
<td><code>defaultVirtualServiceExportTo</code></td>
<td><code>string[]</code></td>
<td>
<p>The default value for the VirtualService.export_to field. Has the same
syntax as <code>default_service_export_to</code>.</p>
<p>If not set the system will use &ldquo;*&rdquo; as the default value which implies that
virtual services are exported to all namespaces</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-default_destination_rule_export_to">
<td><code>defaultDestinationRuleExportTo</code></td>
<td><code>string[]</code></td>
<td>
<p>The default value for the <code>DestinationRule.export_to</code> field. Has the same
syntax as <code>default_service_export_to</code>.</p>
<p>If not set the system will use &ldquo;*&rdquo; as the default value which implies that
destination rules are exported to all namespaces</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-root_namespace">
<td><code>rootNamespace</code></td>
<td><code>string</code></td>
<td>
<p>The namespace to treat as the administrative root namespace for
Istio configuration. When processing a leaf namespace Istio will search for
declarations in that namespace first and if none are found it will
search in the root namespace. Any matching declaration found in the root
namespace is processed as if it were declared in the leaf namespace.</p>
<p>The precise semantics of this processing are documented on each resource
type.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-locality_lb_setting">
<td><code>localityLbSetting</code></td>
<td><code><a href="https://istio.io/docs/reference/config/networking/destination-rule.html#LocalityLoadBalancerSetting">LocalityLoadBalancerSetting</a></code></td>
<td>
<p>Locality based load balancing distribution or failover settings.
If unspecified, locality based load balancing will be enabled by default.
However, this requires outlierDetection to actually take effect for a particular
service, see <a href="https://istio.io/latest/docs/tasks/traffic-management/locality-load-balancing/failover/">https://istio.io/latest/docs/tasks/traffic-management/locality-load-balancing/failover/</a></p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-dns_refresh_rate">
<td><code>dnsRefreshRate</code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">Duration</a></code></td>
<td>
<p>Configures DNS refresh rate for Envoy clusters of type <code>STRICT_DNS</code>
Default refresh rate is <code>60s</code>.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-h2_upgrade_policy">
<td><code>h2UpgradePolicy</code></td>
<td><code><a href="#MeshConfig-H2UpgradePolicy">H2UpgradePolicy</a></code></td>
<td>
<p>Specify if http1.1 connections should be upgraded to http2 by default.
if sidecar is installed on all pods in the mesh, then this should be set to <code>UPGRADE</code>.
If one or more services or namespaces do not have sidecar(s), then this should be set to <code>DO_NOT_UPGRADE</code>.
It can be enabled by destination using the <code>destinationRule.trafficPolicy.connectionPool.http.h2UpgradePolicy</code> override.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-inbound_cluster_stat_name">
<td><code>inboundClusterStatName</code></td>
<td><code>string</code></td>
<td>
<p>Name to be used while emitting statistics for inbound clusters. The same pattern is used while computing stat prefix for
network filters like TCP and Redis.
By default, Istio emits statistics with the pattern <code>inbound|&lt;port&gt;|&lt;port-name&gt;|&lt;service-FQDN&gt;</code>.
For example <code>inbound|7443|grpc-reviews|reviews.prod.svc.cluster.local</code>. This can be used to override that pattern.</p>
<p>A Pattern can be composed of various pre-defined variables. The following variables are supported.</p>
<ul>
<li><code>%SERVICE%</code> - Will be substituted with name of the service.</li>
<li><code>%SERVICE_FQDN%</code> - Will be substituted with FQDN of the service.</li>
<li><code>%SERVICE_PORT%</code> - Will be substituted with port of the service.</li>
<li><code>%TARGET_PORT%</code>  - Will be substituted with the target port of the service.</li>
<li><code>%SERVICE_PORT_NAME%</code> - Will be substituted with port name of the service.</li>
</ul>
<p>Following are some examples of supported patterns for reviews:</p>
<ul>
<li><code>%SERVICE_FQDN%_%SERVICE_PORT%</code> will use reviews.prod.svc.cluster.local_7443 as the stats name.</li>
<li><code>%SERVICE%</code> will use reviews.prod as the stats name.</li>
</ul>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-outbound_cluster_stat_name">
<td><code>outboundClusterStatName</code></td>
<td><code>string</code></td>
<td>
<p>Name to be used while emitting statistics for outbound clusters. The same pattern is used while computing stat prefix for
network filters like TCP and Redis.
By default, Istio emits statistics with the pattern <code>outbound|&lt;port&gt;|&lt;subsetname&gt;|&lt;service-FQDN&gt;</code>.
For example <code>outbound|8080|v2|reviews.prod.svc.cluster.local</code>. This can be used to override that pattern.</p>
<p>A Pattern can be composed of various pre-defined variables. The following variables are supported.</p>
<ul>
<li><code>%SERVICE%</code> - Will be substituted with name of the service.</li>
<li><code>%SERVICE_FQDN%</code> - Will be substituted with FQDN of the service.</li>
<li><code>%SERVICE_PORT%</code> - Will be substituted with port of the service.</li>
<li><code>%SERVICE_PORT_NAME%</code> - Will be substituted with port name of the service.</li>
<li><code>%SUBSET_NAME%</code> - Will be substituted with subset.</li>
</ul>
<p>Following are some examples of supported patterns for reviews:</p>
<ul>
<li><code>%SERVICE_FQDN%_%SERVICE_PORT%</code> will use <code>reviews.prod.svc.cluster.local_7443</code> as the stats name.</li>
<li><code>%SERVICE%</code> will use reviews.prod as the stats name.</li>
</ul>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-enable_prometheus_merge">
<td><code>enablePrometheusMerge</code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue">BoolValue</a></code></td>
<td>
<p>If enabled, Istio agent will merge metrics exposed by the application with metrics from Envoy
and Istio agent. The sidecar injection will replace <code>prometheus.io</code> annotations present on the pod
and redirect them towards Istio agent, which will then merge metrics of from the application with Istio metrics.
This relies on the annotations <code>prometheus.io/scrape</code>, <code>prometheus.io/port</code>, and
<code>prometheus.io/path</code> annotations.
If you are running a separately managed Envoy with an Istio sidecar, this may cause issues, as the metrics will collide.
In this case, it is recommended to disable aggregation on that deployment with the
<code>prometheus.istio.io/merge-metrics: &quot;false&quot;</code> annotation.
If not specified, this will be enabled by default.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-extension_providers">
<td><code>extensionProviders</code></td>
<td><code><a href="#MeshConfig-ExtensionProvider">ExtensionProvider[]</a></code></td>
<td>
<p>Defines a list of extension providers that extend Istio&rsquo;s functionality. For example, the AuthorizationPolicy
can be used with an extension provider to delegate the authorization decision to a custom authorization system.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-default_providers">
<td><code>defaultProviders</code></td>
<td><code><a href="#MeshConfig-DefaultProviders">DefaultProviders</a></code></td>
<td>
<p>Specifies extension providers to use by default in Istio configuration resources.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-discovery_selectors">
<td><code>discoverySelectors</code></td>
<td><code><a href="#k8s-io-apimachinery-pkg-apis-meta-v1-LabelSelector">LabelSelector[]</a></code></td>
<td>
<p>A list of Kubernetes selectors that specify the set of namespaces that Istio considers when
computing configuration updates for sidecars. This can be used to reduce Istio&rsquo;s computational load
by limiting the number of entities (including services, pods, and endpoints) that are watched and processed.
If omitted, Istio will use the default behavior of processing all namespaces in the cluster.
Elements in the list are disjunctive (OR semantics), i.e. a namespace will be included if it matches any selector.
The following example selects any namespace that matches either below:</p>
<ol>
<li>The namespace has both of these labels: <code>env: prod</code> and <code>region: us-east1</code></li>
<li>The namespace has label <code>app</code> equal to <code>cassandra</code> or <code>spark</code>.</li>
</ol>
<pre><code class="language-yaml">discoverySelectors:
  - matchLabels:
      env: prod
      region: us-east1
  - matchExpressions:
    - key: app
      operator: In
      values:
        - cassandra
        - spark
</code></pre>
<p>Refer to the <a href="https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors">kubernetes selector docs</a>
for additional detail on selector semantics.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-path_normalization">
<td><code>pathNormalization</code></td>
<td><code><a href="#MeshConfig-ProxyPathNormalization">ProxyPathNormalization</a></code></td>
<td>
<p>ProxyPathNormalization configures how URL paths in incoming and outgoing HTTP requests are
normalized by the sidecars and gateways.
The normalized paths will be used in all aspects through the requests&rsquo; lifetime on the
sidecars and gateways, which includes routing decisions in outbound direction (client proxy),
authorization policy match and enforcement in inbound direction (server proxy), and the URL
path proxied to the upstream service.
If not set, the NormalizationType.DEFAULT configuration will be used.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-default_http_retry_policy">
<td><code>defaultHttpRetryPolicy</code></td>
<td><code><a href="https://istio.io/docs/reference/config/networking/virtual-service.html#HTTPRetry">HTTPRetry</a></code></td>
<td>
<p>Configure the default HTTP retry policy.
The default number of retry attempts is set at 2 for these errors:
&ldquo;connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes&rdquo;.
Setting the number of attempts to 0 disables retry policy globally.
This setting can be overridden on a per-host basis using the Virtual Service
API.
All settings in the retry policy except <code>perTryTimeout</code> can currently be
configured globally via this field.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-mesh_mTLS">
<td><code>meshMTLS</code></td>
<td><code><a href="#MeshConfig-TLSConfig">TLSConfig</a></code></td>
<td>
<p>The below configuration parameters can be used to specify TLSConfig for mesh traffic.
For example, a user could enable min TLS version for ISTIO_MUTUAL traffic and specify a curve for non ISTIO_MUTUAL traffic like below:
meshConfig:
meshMTLS:
minProtocolVersion: TLSV1_3
tlsDefaults:
Note: applicable only for non ISTIO_MUTUAL scenarios
ecdhCurves:
- P-256
- P-512</p>
<p>Configuration of mTLS for traffic between workloads with ISTIO_MUTUAL TLS traffic.
Note: Mesh mTLS does not respect ECDH curves.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-tls_defaults">
<td><code>tlsDefaults</code></td>
<td><code><a href="#MeshConfig-TLSConfig">TLSConfig</a></code></td>
<td>
<p>Configuration of TLS for all traffic except for ISTIO_MUTUAL mode.
Currently, this supports configuration of ecdh_curves only.
For ISTIO_MUTUAL TLS settings, use meshMTLS configuration.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-mse_ingress_global_config">
<td><code>mseIngressGlobalConfig</code></td>
<td><code><a href="#MSEIngressGlobalConfig">MSEIngressGlobalConfig</a></code></td>
<td>
<p>Added by ingress</p>

</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="ConfigSource">ConfigSource</h2>
<section>
<p>ConfigSource describes information about a configuration store inside a
mesh. A single control plane instance can interact with one or more data
sources.</p>

<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="ConfigSource-address">
<td><code>address</code></td>
<td><code>string</code></td>
<td>
<p>Address of the server implementing the Istio Mesh Configuration
protocol (MCP). Can be IP address or a fully qualified DNS name.
Use xds:// to specify a grpc-based xds backend, k8s:// to specify a k8s controller or
fs:/// to specify a file-based backend with absolute path to the directory.</p>

</td>
<td>
No
</td>
</tr>
<tr id="ConfigSource-tls_settings">
<td><code>tlsSettings</code></td>
<td><code><a href="https://istio.io/docs/reference/config/networking/destination-rule.html#ClientTLSSettings">ClientTLSSettings</a></code></td>
<td>
<p>Use the tls_settings to specify the tls mode to use. If the MCP server
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
mode as <code>ISTIO_MUTUAL</code>.</p>

</td>
<td>
No
</td>
</tr>
<tr id="ConfigSource-subscribed_resources">
<td><code>subscribedResources</code></td>
<td><code><a href="#Resource">Resource[]</a></code></td>
<td>
<p>Describes the source of configuration, if nothing is specified default is MCP</p>

</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="MSEIngressGlobalConfig">MSEIngressGlobalConfig</h2>
<section>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="MSEIngressGlobalConfig-tls_min_protocol_version">
<td><code>tlsMinProtocolVersion</code></td>
<td><code>string</code></td>
<td>
<p>Control tls min protocol version for all gateways.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MSEIngressGlobalConfig-tls_max_protocol_version">
<td><code>tlsMaxProtocolVersion</code></td>
<td><code>string</code></td>
<td>
<p>Control tls max protocol version for all gateways.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MSEIngressGlobalConfig-tls_cipher_suites">
<td><code>tlsCipherSuites</code></td>
<td><code>string[]</code></td>
<td>
<p>Control tls cipher suites for all gateways.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MSEIngressGlobalConfig-upstream_idle_timeout">
<td><code>upstreamIdleTimeout</code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">Duration</a></code></td>
<td>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="MeshConfig-OutboundTrafficPolicy">MeshConfig.OutboundTrafficPolicy</h2>
<section>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="MeshConfig-OutboundTrafficPolicy-mode">
<td><code>mode</code></td>
<td><code><a href="#MeshConfig-OutboundTrafficPolicy-Mode">Mode</a></code></td>
<td>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="MeshConfig-CertificateData">MeshConfig.CertificateData</h2>
<section>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="MeshConfig-CertificateData-pem" class="oneof oneof-start">
<td><code>pem</code></td>
<td><code>string (oneof)</code></td>
<td>
<p>The PEM data of the certificate.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-CertificateData-spiffe_bundle_url" class="oneof">
<td><code>spiffeBundleUrl</code></td>
<td><code>string (oneof)</code></td>
<td>
<p>The SPIFFE bundle endpoint URL that complies to:
<a href="https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#the-spiffe-trust-domain-and-bundle">https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#the-spiffe-trust-domain-and-bundle</a>
The endpoint should support authentication based on Web PKI:
<a href="https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#521-web-pki">https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#521-web-pki</a>
The certificate is retrieved from the endpoint.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-CertificateData-cert_signers">
<td><code>certSigners</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. Specify the kubernetes signers (External CA) that use this trustAnchor
when Istiod is acting as RA(registration authority)
If set, they are used for these signers. Otherwise, this trustAnchor is used for all signers.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-CertificateData-trust_domains">
<td><code>trustDomains</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. Specify the list of trust domains to which this trustAnchor data belongs.
If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain
and its aliases.
Note that we can have multiple trustAnchor data for a same trust_domain.
In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates.
If neither cert_signers nor trust_domains is set, this trustAnchor is used for all trust domains and all signers.
If only trust_domains is set, this trustAnchor is used for these trust_domains and all signers.
If only cert_signers is set, this trustAnchor is used for these cert_signers and all trust domains.
If both cert_signers and trust_domains is set, this trustAnchor is only used for these signers and trust domains.</p>

</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="MeshConfig-CA">MeshConfig.CA</h2>
<section>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="MeshConfig-CA-address">
<td><code>address</code></td>
<td><code>string</code></td>
<td>
<p>REQUIRED. Address of the CA server implementing the Istio CA gRPC API.
Can be IP address or a fully qualified DNS name with port
Eg: custom-ca.default.svc.cluster.local:8932, 192.168.23.2:9000</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-CA-tls_settings">
<td><code>tlsSettings</code></td>
<td><code><a href="https://istio.io/docs/reference/config/networking/destination-rule.html#ClientTLSSettings">ClientTLSSettings</a></code></td>
<td>
<p>Use the tls_settings to specify the tls mode to use.
Regarding tls_settings:</p>
<ul>
<li>DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar.
DISABLE MODE can also be used for testing</li>
<li>TLS MUTUAL MODE be on by default. If the CA certificates
(cert bundle to verify the CA server&rsquo;s certificate) is omitted, Istiod will
use the system root certs to verify the CA server&rsquo;s certificate.</li>
</ul>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-CA-request_timeout">
<td><code>requestTimeout</code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">Duration</a></code></td>
<td>
<p>timeout for forward CSR requests from Istiod to External CA
Default: 10s</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-CA-istiod_side">
<td><code>istiodSide</code></td>
<td><code>bool</code></td>
<td>
<p>Use istiod_side to specify CA Server integrate to Istiod side or Agent side
Default: true</p>

</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="MeshConfig-ExtensionProvider">MeshConfig.ExtensionProvider</h2>
<section>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="MeshConfig-ExtensionProvider-name">
<td><code>name</code></td>
<td><code>string</code></td>
<td>
<p>REQUIRED. A unique name identifying the extension provider.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-envoy_ext_authz_http" class="oneof oneof-start">
<td><code>envoyExtAuthzHttp</code></td>
<td><code><a href="#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider">EnvoyExternalAuthorizationHttpProvider (oneof)</a></code></td>
<td>
<p>Configures an external authorizer that implements the Envoy ext_authz filter authorization check service using the HTTP API.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-envoy_ext_authz_grpc" class="oneof">
<td><code>envoyExtAuthzGrpc</code></td>
<td><code><a href="#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider">EnvoyExternalAuthorizationGrpcProvider (oneof)</a></code></td>
<td>
<p>Configures an external authorizer that implements the Envoy ext_authz filter authorization check service using the gRPC API.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-zipkin" class="oneof">
<td><code>zipkin</code></td>
<td><code><a href="#MeshConfig-ExtensionProvider-ZipkinTracingProvider">ZipkinTracingProvider (oneof)</a></code></td>
<td>
<p>Configures a tracing provider that uses the Zipkin API.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-datadog" class="oneof">
<td><code>datadog</code></td>
<td><code><a href="#MeshConfig-ExtensionProvider-DatadogTracingProvider">DatadogTracingProvider (oneof)</a></code></td>
<td>
<p>Configures a Datadog tracing provider.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-stackdriver" class="oneof">
<td><code>stackdriver</code></td>
<td><code><a href="#MeshConfig-ExtensionProvider-StackdriverProvider">StackdriverProvider (oneof)</a></code></td>
<td>
<p>Configures a Stackdriver provider.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-skywalking" class="oneof">
<td><code>skywalking</code></td>
<td><code><a href="#MeshConfig-ExtensionProvider-SkyWalkingTracingProvider">SkyWalkingTracingProvider (oneof)</a></code></td>
<td>
<p>Configures a Apache SkyWalking provider.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-opentelemetry" class="oneof">
<td><code>opentelemetry</code></td>
<td><code><a href="#MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider">OpenTelemetryTracingProvider (oneof)</a></code></td>
<td>
<p>Configures an OpenTelemetry tracing provider.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-prometheus" class="oneof">
<td><code>prometheus</code></td>
<td><code><a href="#MeshConfig-ExtensionProvider-PrometheusMetricsProvider">PrometheusMetricsProvider (oneof)</a></code></td>
<td>
<p>Configures a Prometheus metrics provider.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-envoy_file_access_log" class="oneof">
<td><code>envoyFileAccessLog</code></td>
<td><code><a href="#MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider">EnvoyFileAccessLogProvider (oneof)</a></code></td>
<td>
<p>Configures an Envoy File Access Log provider.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-envoy_http_als" class="oneof">
<td><code>envoyHttpAls</code></td>
<td><code><a href="#MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider">EnvoyHttpGrpcV3LogProvider (oneof)</a></code></td>
<td>
<p>Configures an Envoy Access Logging Service provider for HTTP traffic.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-envoy_tcp_als" class="oneof">
<td><code>envoyTcpAls</code></td>
<td><code><a href="#MeshConfig-ExtensionProvider-EnvoyTcpGrpcV3LogProvider">EnvoyTcpGrpcV3LogProvider (oneof)</a></code></td>
<td>
<p>Configures an Envoy Access Logging Service provider for TCP traffic.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-envoy_otel_als" class="oneof">
<td><code>envoyOtelAls</code></td>
<td><code><a href="#MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider">EnvoyOpenTelemetryLogProvider (oneof)</a></code></td>
<td>
<p>Configures an Envoy Open Telemetry Access Logging Service provider.</p>

</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="MeshConfig-DefaultProviders">MeshConfig.DefaultProviders</h2>
<section>
<p>Holds the name references to the providers that will be used by default
in other Istio configuration resources if the provider is not specified.</p>
<p>These names must match a provider defined in <code>extension_providers</code> that is
one of the supported tracing providers.</p>

<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="MeshConfig-DefaultProviders-tracing">
<td><code>tracing</code></td>
<td><code>string[]</code></td>
<td>
<p>Name of the default provider(s) for tracing.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-DefaultProviders-metrics">
<td><code>metrics</code></td>
<td><code>string[]</code></td>
<td>
<p>Name of the default provider(s) for metrics.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-DefaultProviders-access_logging">
<td><code>accessLogging</code></td>
<td><code>string[]</code></td>
<td>
<p>Name of the default provider(s) for access logging.</p>

</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="MeshConfig-ProxyPathNormalization">MeshConfig.ProxyPathNormalization</h2>
<section>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="MeshConfig-ProxyPathNormalization-normalization">
<td><code>normalization</code></td>
<td><code><a href="#MeshConfig-ProxyPathNormalization-NormalizationType">NormalizationType</a></code></td>
<td>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="MeshConfig-TLSConfig">MeshConfig.TLSConfig</h2>
<section>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="MeshConfig-TLSConfig-min_protocol_version">
<td><code>minProtocolVersion</code></td>
<td><code><a href="#MeshConfig-TLSConfig-TLSProtocol">TLSProtocol</a></code></td>
<td>
<p>Optional: the minimum TLS protocol version. The default minimum
TLS version will be TLS 1.2. As servers may not be Envoy and be
set to TLS 1.2 (e.g., workloads using mTLS without sidecars), the
minimum TLS version for clients may also be TLS 1.2.
In the current Istio implementation, the maximum TLS protocol version
is TLS 1.3.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-TLSConfig-ecdh_curves">
<td><code>ecdhCurves</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional: If specified, the TLS connection will only support the specified ECDH curves for the DH key exchange.
If not specified, the default curves enforced by envoy will be used. For details about the default curves, refer to
<a href="https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto">Ecdh Curves</a></p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-TLSConfig-cipher_suites">
<td><code>cipherSuites</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional: If specified, the TLS connection will only support the specified cipher list when negotiating TLS 1.0-1.2.
If not specified, the following cipher suites will be used:
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
AES256-GCM-SHA384
AES128-GCM-SHA256</p>

</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="MeshConfig-ServiceSettings-Settings">MeshConfig.ServiceSettings.Settings</h2>
<section>
<p>Settings for the selected services.</p>

<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="MeshConfig-ServiceSettings-Settings-cluster_local">
<td><code>clusterLocal</code></td>
<td><code>bool</code></td>
<td>
<p>If true, specifies that the client and service endpoints must reside in the same cluster.
By default, in multi-cluster deployments, the Istio control plane assumes all service
endpoints to be reachable from any client in any of the clusters which are part of the
mesh. This configuration option limits the set of service endpoints visible to a client
to be cluster scoped.</p>
<p>There are some common scenarios when this can be useful:</p>
<ul>
<li>A service (or group of services) is inherently local to the cluster and has local storage
for that cluster. For example, the kube-system namespace (e.g. the Kube API Server).</li>
<li>A mesh administrator wants to slowly migrate services to Istio. They might start by first
having services cluster-local and then slowly transition them to mesh-wide. They could do
this service-by-service (e.g. mysvc.myns.svc.cluster.local) or as a group
(e.g. *.myns.svc.cluster.local).</li>
</ul>
<p>By default Istio will consider kubernetes.default.svc (i.e. the API Server) as well as all
services in the kube-system namespace to be cluster-local, unless explicitly overridden here.</p>

</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationRequestBody">MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationRequestBody</h2>
<section>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationRequestBody-max_request_bytes">
<td><code>maxRequestBytes</code></td>
<td><code>uint32</code></td>
<td>
<p>Sets the maximum size of a message body that the ext-authz filter will hold in memory.
If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large).
Otherwise the request will be sent to the provider with a partial message.
Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the
fail_open is set to true.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationRequestBody-allow_partial_message">
<td><code>allowPartialMessage</code></td>
<td><code>bool</code></td>
<td>
<p>When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached.
The authorization request will be dispatched and no 413 HTTP error will be returned by the filter.
A &ldquo;x-envoy-auth-partial-body: false|true&rdquo; metadata header will be added to the authorization request message
indicating if the body data is partial.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationRequestBody-pack_as_bytes">
<td><code>packAsBytes</code></td>
<td><code>bool</code></td>
<td>
<p>If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes
in the raw_body field (<a href="https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153)">https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153)</a>.
Otherwise, it will be filled with UTF-8 string in the body field (<a href="https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147)">https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147)</a>.
This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider.</p>

</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider">MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider</h2>
<section>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-service">
<td><code>service</code></td>
<td><code>string</code></td>
<td>
<p>REQUIRED. Specifies the service that implements the Envoy ext_authz HTTP authorization service.
The format is <code>[&lt;Namespace&gt;/]&lt;Hostname&gt;</code>. The specification of <code>&lt;Namespace&gt;</code> is required only when it is insufficient
to unambiguously resolve a service in the service registry. The <code>&lt;Hostname&gt;</code> is a fully qualified host name of a
service defined by the Kubernetes service or ServiceEntry.</p>
<p>Example: &ldquo;my-ext-authz.foo.svc.cluster.local&rdquo; or &ldquo;bar/my-ext-authz.example.com&rdquo;.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-port">
<td><code>port</code></td>
<td><code>uint32</code></td>
<td>
<p>REQUIRED. Specifies the port of the service.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-timeout">
<td><code>timeout</code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">Duration</a></code></td>
<td>
<p>The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s).
When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
In this situation, the response sent back to the client will depend on the configured <code>fail_open</code> field.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-path_prefix">
<td><code>pathPrefix</code></td>
<td><code>string</code></td>
<td>
<p>Sets a prefix to the value of authorization request header <em>Path</em>.
For example, setting this to &ldquo;/check&rdquo; for an original user request at path &ldquo;/admin&rdquo; will cause the
authorization check request to be sent to the authorization service at the path &ldquo;/check/admin&rdquo; instead of &ldquo;/admin&rdquo;.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-fail_open">
<td><code>failOpen</code></td>
<td><code>bool</code></td>
<td>
<p>If true, the user request will be allowed even if the communication with the authorization service has failed,
or if the authorization service has returned a HTTP 5xx error.
Default is false and the request will be rejected with &ldquo;Forbidden&rdquo; response.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-status_on_error">
<td><code>statusOnError</code></td>
<td><code>string</code></td>
<td>
<p>Sets the HTTP status that is returned to the client when there is a network error to the authorization service.
The default status is &ldquo;403&rdquo; (HTTP Forbidden).</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-include_headers_in_check">
<td><code>includeHeadersInCheck</code></td>
<td><code>string[]</code></td>
<td>
<p>DEPRECATED. Use include_request_headers_in_check instead.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-include_request_headers_in_check">
<td><code>includeRequestHeadersInCheck</code></td>
<td><code>string[]</code></td>
<td>
<p>List of client request headers that should be included in the authorization request sent to the authorization service.
Note that in addition to the headers specified here following headers are included by default:</p>
<ol>
<li><em>Host</em>, <em>Method</em>, <em>Path</em> and <em>Content-Length</em> are automatically sent.</li>
<li><em>Content-Length</em> will be set to 0 and the request will not have a message body. However, the authorization
request can include the buffered client request body (controlled by include_request_body_in_check setting),
consequently the value of Content-Length of the authorization request reflects the size of its payload size.</li>
</ol>
<p>Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
<a href="https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)">https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)</a>:</p>
<ul>
<li>Exact match: &ldquo;abc&rdquo; will match on value &ldquo;abc&rdquo;.</li>
<li>Prefix match: &ldquo;abc*&rdquo; will match on value &ldquo;abc&rdquo; and &ldquo;abcd&rdquo;.</li>
<li>Suffix match: &ldquo;*abc&rdquo; will match on value &ldquo;abc&rdquo; and &ldquo;xabc&rdquo;.</li>
</ul>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-include_additional_headers_in_check">
<td><code>includeAdditionalHeadersInCheck</code></td>
<td><code>map&lt;string,&nbsp;string&gt;</code></td>
<td>
<p>Set of additional fixed headers that should be included in the authorization request sent to the authorization service.
Key is the header name and value is the header value.
Note that client request of the same key or headers specified in include_request_headers_in_check will be overridden.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-include_request_body_in_check">
<td><code>includeRequestBodyInCheck</code></td>
<td><code><a href="#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationRequestBody">EnvoyExternalAuthorizationRequestBody</a></code></td>
<td>
<p>If set, the client request body will be included in the authorization request sent to the authorization service.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-headers_to_upstream_on_allow">
<td><code>headersToUpstreamOnAllow</code></td>
<td><code>string[]</code></td>
<td>
<p>List of headers from the authorization service that should be added or overridden in the original request and
forwarded to the upstream when the authorization check result is allowed (HTTP code 200).
If not specified, the original request will not be modified and forwarded to backend as-is.
Note, any existing headers will be overridden.</p>
<p>Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
<a href="https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)">https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)</a>:</p>
<ul>
<li>Exact match: &ldquo;abc&rdquo; will match on value &ldquo;abc&rdquo;.</li>
<li>Prefix match: &ldquo;abc*&rdquo; will match on value &ldquo;abc&rdquo; and &ldquo;abcd&rdquo;.</li>
<li>Suffix match: &ldquo;*abc&rdquo; will match on value &ldquo;abc&rdquo; and &ldquo;xabc&rdquo;.</li>
</ul>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-headers_to_downstream_on_deny">
<td><code>headersToDownstreamOnDeny</code></td>
<td><code>string[]</code></td>
<td>
<p>List of headers from the authorization service that should be forwarded to downstream when the authorization
check result is not allowed (HTTP code other than 200).
If not specified, all the authorization response headers, except <em>Authority (Host)</em> will be in the response to
the downstream.
When a header is included in this list, <em>Path</em>, <em>Status</em>, <em>Content-Length</em>, <em>WWWAuthenticate</em> and <em>Location</em> are
automatically added.
Note, the body from the authorization service is always included in the response to downstream.</p>
<p>Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
<a href="https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)">https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)</a>:</p>
<ul>
<li>Exact match: &ldquo;abc&rdquo; will match on value &ldquo;abc&rdquo;.</li>
<li>Prefix match: &ldquo;abc*&rdquo; will match on value &ldquo;abc&rdquo; and &ldquo;abcd&rdquo;.</li>
<li>Suffix match: &ldquo;*abc&rdquo; will match on value &ldquo;abc&rdquo; and &ldquo;xabc&rdquo;.</li>
</ul>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-headers_to_downstream_on_allow">
<td><code>headersToDownstreamOnAllow</code></td>
<td><code>string[]</code></td>
<td>
<p>List of headers from the authorization service that should be forwarded to downstream when the authorization
check result is allowed (HTTP code 200).
If not specified, the original response will not be modified and forwarded to downstream as-is.
Note, any existing headers will be overridden.</p>
<p>Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
<a href="https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)">https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)</a>:</p>
<ul>
<li>Exact match: &ldquo;abc&rdquo; will match on value &ldquo;abc&rdquo;.</li>
<li>Prefix match: &ldquo;abc*&rdquo; will match on value &ldquo;abc&rdquo; and &ldquo;abcd&rdquo;.</li>
<li>Suffix match: &ldquo;*abc&rdquo; will match on value &ldquo;abc&rdquo; and &ldquo;xabc&rdquo;.</li>
</ul>

</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider">MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationGrpcProvider</h2>
<section>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider-service">
<td><code>service</code></td>
<td><code>string</code></td>
<td>
<p>REQUIRED. Specifies the service that implements the Envoy ext_authz gRPC authorization service.
The format is <code>[&lt;Namespace&gt;/]&lt;Hostname&gt;</code>. The specification of <code>&lt;Namespace&gt;</code> is required only when it is insufficient
to unambiguously resolve a service in the service registry. The <code>&lt;Hostname&gt;</code> is a fully qualified host name of a
service defined by the Kubernetes service or ServiceEntry.</p>
<p>Example: &ldquo;my-ext-authz.foo.svc.cluster.local&rdquo; or &ldquo;bar/my-ext-authz.example.com&rdquo;.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider-port">
<td><code>port</code></td>
<td><code>uint32</code></td>
<td>
<p>REQUIRED. Specifies the port of the service.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider-timeout">
<td><code>timeout</code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">Duration</a></code></td>
<td>
<p>The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s).
When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
In this situation, the response sent back to the client will depend on the configured <code>fail_open</code> field.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider-fail_open">
<td><code>failOpen</code></td>
<td><code>bool</code></td>
<td>
<p>If true, the HTTP request or TCP connection will be allowed even if the communication with the authorization service has failed,
or if the authorization service has returned a HTTP 5xx error.
Default is false. For HTTP request, it will be rejected with 403 (HTTP Forbidden). For TCP connection, it will be closed immediately.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider-status_on_error">
<td><code>statusOnError</code></td>
<td><code>string</code></td>
<td>
<p>Sets the HTTP status that is returned to the client when there is a network error to the authorization service.
The default status is &ldquo;403&rdquo; (HTTP Forbidden).</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider-include_request_body_in_check">
<td><code>includeRequestBodyInCheck</code></td>
<td><code><a href="#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationRequestBody">EnvoyExternalAuthorizationRequestBody</a></code></td>
<td>
<p>If set, the client request body will be included in the authorization request sent to the authorization service.</p>

</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="MeshConfig-ExtensionProvider-ZipkinTracingProvider">MeshConfig.ExtensionProvider.ZipkinTracingProvider</h2>
<section>
<p>Defines configuration for a Zipkin tracer.</p>

<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="MeshConfig-ExtensionProvider-ZipkinTracingProvider-service">
<td><code>service</code></td>
<td><code>string</code></td>
<td>
<p>REQUIRED. Specifies the service that the Zipkin API.
The format is <code>[&lt;Namespace&gt;/]&lt;Hostname&gt;</code>. The specification of <code>&lt;Namespace&gt;</code> is required only when it is insufficient
to unambiguously resolve a service in the service registry. The <code>&lt;Hostname&gt;</code> is a fully qualified host name of a
service defined by the Kubernetes service or ServiceEntry.</p>
<p>Example: &ldquo;zipkin.default.svc.cluster.local&rdquo; or &ldquo;bar/zipkin.example.com&rdquo;.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-ZipkinTracingProvider-port">
<td><code>port</code></td>
<td><code>uint32</code></td>
<td>
<p>REQUIRED. Specifies the port of the service.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-ZipkinTracingProvider-max_tag_length">
<td><code>maxTagLength</code></td>
<td><code>uint32</code></td>
<td>
<p>Optional. Controls the overall path length allowed in a reported span.
NOTE: currently only controls max length of the path tag.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-ZipkinTracingProvider-enable_64bit_trace_id">
<td><code>enable64bitTraceId</code></td>
<td><code>bool</code></td>
<td>
<p>Optional. A 128 bit trace id will be used in Istio.
If true, will result in a 64 bit trace id being used.</p>

</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="MeshConfig-ExtensionProvider-LightstepTracingProvider">MeshConfig.ExtensionProvider.LightstepTracingProvider</h2>
<section>
<p>Defines configuration for a Lightstep tracer.
Note: Lightstep has moved to OpenTelemetry-based integrations. Istio 1.15+
will generate OpenTelemetry-compatible configuration when using this option.</p>

<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="MeshConfig-ExtensionProvider-LightstepTracingProvider-service">
<td><code>service</code></td>
<td><code>string</code></td>
<td>
<p>REQUIRED. Specifies the service for the Lightstep collector.
The format is <code>[&lt;Namespace&gt;/]&lt;Hostname&gt;</code>. The specification of <code>&lt;Namespace&gt;</code> is required only when it is insufficient
to unambiguously resolve a service in the service registry. The <code>&lt;Hostname&gt;</code> is a fully qualified host name of a
service defined by the Kubernetes service or ServiceEntry.</p>
<p>Example: &ldquo;lightstep.default.svc.cluster.local&rdquo; or &ldquo;bar/lightstep.example.com&rdquo;.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-LightstepTracingProvider-port">
<td><code>port</code></td>
<td><code>uint32</code></td>
<td>
<p>REQUIRED. Specifies the port of the service.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-LightstepTracingProvider-access_token">
<td><code>accessToken</code></td>
<td><code>string</code></td>
<td>
<p>The Lightstep access token.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-LightstepTracingProvider-max_tag_length">
<td><code>maxTagLength</code></td>
<td><code>uint32</code></td>
<td>
<p>Optional. Controls the overall path length allowed in a reported span.
NOTE: currently only controls max length of the path tag.</p>

</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="MeshConfig-ExtensionProvider-DatadogTracingProvider">MeshConfig.ExtensionProvider.DatadogTracingProvider</h2>
<section>
<p>Defines configuration for a Datadog tracer.</p>

<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="MeshConfig-ExtensionProvider-DatadogTracingProvider-service">
<td><code>service</code></td>
<td><code>string</code></td>
<td>
<p>REQUIRED. Specifies the service for the Datadog agent.
The format is <code>[&lt;Namespace&gt;/]&lt;Hostname&gt;</code>. The specification of <code>&lt;Namespace&gt;</code> is required only when it is insufficient
to unambiguously resolve a service in the service registry. The <code>&lt;Hostname&gt;</code> is a fully qualified host name of a
service defined by the Kubernetes service or ServiceEntry.</p>
<p>Example: &ldquo;datadog.default.svc.cluster.local&rdquo; or &ldquo;bar/datadog.example.com&rdquo;.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-DatadogTracingProvider-port">
<td><code>port</code></td>
<td><code>uint32</code></td>
<td>
<p>REQUIRED. Specifies the port of the service.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-DatadogTracingProvider-max_tag_length">
<td><code>maxTagLength</code></td>
<td><code>uint32</code></td>
<td>
<p>Optional. Controls the overall path length allowed in a reported span.
NOTE: currently only controls max length of the path tag.</p>

</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="MeshConfig-ExtensionProvider-SkyWalkingTracingProvider">MeshConfig.ExtensionProvider.SkyWalkingTracingProvider</h2>
<section>
<p>Defines configuration for a SkyWalking tracer.</p>

<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="MeshConfig-ExtensionProvider-SkyWalkingTracingProvider-service">
<td><code>service</code></td>
<td><code>string</code></td>
<td>
<p>REQUIRED. Specifies the service for the SkyWalking receiver.
The format is <code>[&lt;Namespace&gt;/]&lt;Hostname&gt;</code>. The specification of <code>&lt;Namespace&gt;</code> is required only when it is insufficient
to unambiguously resolve a service in the service registry. The <code>&lt;Hostname&gt;</code> is a fully qualified host name of a
service defined by the Kubernetes service or ServiceEntry.</p>
<p>Example: &ldquo;skywalking.default.svc.cluster.local&rdquo; or &ldquo;bar/skywalking.example.com&rdquo;.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-SkyWalkingTracingProvider-port">
<td><code>port</code></td>
<td><code>uint32</code></td>
<td>
<p>REQUIRED. Specifies the port of the service.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-SkyWalkingTracingProvider-access_token">
<td><code>accessToken</code></td>
<td><code>string</code></td>
<td>
<p>Optional. The SkyWalking OAP access token.</p>

</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="MeshConfig-ExtensionProvider-StackdriverProvider">MeshConfig.ExtensionProvider.StackdriverProvider</h2>
<section>
<p>Defines configuration for Stackdriver.</p>
<p>WARNING: Stackdriver tracing uses OpenCensus configuration under the hood and, as a result, cannot be used
alongside any OpenCensus provider configuration. This is due to a limitation in the implementation of OpenCensus
driver in Envoy.</p>

<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="MeshConfig-ExtensionProvider-StackdriverProvider-max_tag_length">
<td><code>maxTagLength</code></td>
<td><code>uint32</code></td>
<td>
<p>Optional. Controls the overall path length allowed in a reported span.
NOTE: currently only controls max length of the path tag.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-StackdriverProvider-logging">
<td><code>logging</code></td>
<td><code><a href="#MeshConfig-ExtensionProvider-StackdriverProvider-Logging">Logging</a></code></td>
<td>
<p>Optional. Controls Stackdriver logging behavior.</p>

</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider">MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider</h2>
<section>
<p>Defines configuration for an OpenCensus tracer writing to an OpenCensus backend.</p>
<p>WARNING: OpenCensusAgentTracingProviders should be used with extreme care. Configuration of
OpenCensus providers CANNOT be changed during the course of proxy&rsquo;s lifetime due to a limitation
in the implementation of OpenCensus driver in Envoy. This means only a single provider configuration
may be used for OpenCensus at any given time for a proxy or group of proxies AND that any change to the provider
configuration MUST be accompanied by a restart of all proxies that will use that configuration.</p>
<p>NOTE: Stackdriver tracing uses OpenCensus configuration under the hood and, as a result, cannot be used
alongside OpenCensus provider configuration.</p>

<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-service">
<td><code>service</code></td>
<td><code>string</code></td>
<td>
<p>REQUIRED. Specifies the service for the OpenCensusAgent.
The format is <code>[&lt;Namespace&gt;/]&lt;Hostname&gt;</code>. The specification of <code>&lt;Namespace&gt;</code> is required only when it is insufficient
to unambiguously resolve a service in the service registry. The <code>&lt;Hostname&gt;</code> is a fully qualified host name of a
service defined by the Kubernetes service or ServiceEntry.</p>
<p>Example: &ldquo;ocagent.default.svc.cluster.local&rdquo; or &ldquo;bar/ocagent.example.com&rdquo;.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-port">
<td><code>port</code></td>
<td><code>uint32</code></td>
<td>
<p>REQUIRED. Specifies the port of the service.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-context">
<td><code>context</code></td>
<td><code><a href="#MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-TraceContext">TraceContext[]</a></code></td>
<td>
<p>Specifies the set of context propagation headers used for distributed
tracing. Default is <code>[&quot;W3C_TRACE_CONTEXT&quot;]</code>. If multiple values are specified,
the proxy will attempt to read each header for each request and will
write all headers.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-max_tag_length">
<td><code>maxTagLength</code></td>
<td><code>uint32</code></td>
<td>
<p>Optional. Controls the overall path length allowed in a reported span.
NOTE: currently only controls max length of the path tag.</p>

</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="MeshConfig-ExtensionProvider-PrometheusMetricsProvider">MeshConfig.ExtensionProvider.PrometheusMetricsProvider</h2>
<section>
</section>
<h2 id="MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider">MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider</h2>
<section>
<p>Defines configuration for Envoy-based access logging that writes to
local files (and/or standard streams).</p>

<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider-path">
<td><code>path</code></td>
<td><code>string</code></td>
<td>
<p>Path to a local file to write the access log entries.
This may be used to write to streams, via <code>/dev/stderr</code> and <code>/dev/stdout</code>
If unspecified, defaults to <code>/dev/stdout</code>.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider-log_format">
<td><code>logFormat</code></td>
<td><code><a href="#MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider-LogFormat">LogFormat</a></code></td>
<td>
<p>Optional. Allows overriding of the default access log format.</p>

</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider">MeshConfig.ExtensionProvider.EnvoyHttpGrpcV3LogProvider</h2>
<section>
<p>Defines configuration for an Envoy <a href="https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/grpc/v3/als.proto#grpc-access-log-service-als">Access Logging Service</a>
integration for HTTP traffic.</p>

<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider-service">
<td><code>service</code></td>
<td><code>string</code></td>
<td>
<p>REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
The format is <code>[&lt;Namespace&gt;/]&lt;Hostname&gt;</code>. The specification of <code>&lt;Namespace&gt;</code> is required only when it is insufficient
to unambiguously resolve a service in the service registry. The <code>&lt;Hostname&gt;</code> is a fully qualified host name of a
service defined by the Kubernetes service or ServiceEntry.</p>
<p>Example: &ldquo;envoy-als.foo.svc.cluster.local&rdquo; or &ldquo;bar/envoy-als.example.com&rdquo;.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider-port">
<td><code>port</code></td>
<td><code>uint32</code></td>
<td>
<p>REQUIRED. Specifies the port of the service.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider-log_name">
<td><code>logName</code></td>
<td><code>string</code></td>
<td>
<p>Optional. The friendly name of the access log.
Defaults:</p>
<ul>
<li>&ldquo;http_envoy_accesslog&rdquo;</li>
<li>&ldquo;listener_envoy_accesslog&rdquo;</li>
</ul>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider-filter_state_objects_to_log">
<td><code>filterStateObjectsToLog</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. Additional filter state objects to log.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider-additional_request_headers_to_log">
<td><code>additionalRequestHeadersToLog</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. Additional request headers to log.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider-additional_response_headers_to_log">
<td><code>additionalResponseHeadersToLog</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. Additional response headers to log.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider-additional_response_trailers_to_log">
<td><code>additionalResponseTrailersToLog</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. Additional response trailers to log.</p>

</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="MeshConfig-ExtensionProvider-EnvoyTcpGrpcV3LogProvider">MeshConfig.ExtensionProvider.EnvoyTcpGrpcV3LogProvider</h2>
<section>
<p>Defines configuration for an Envoy <a href="https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/grpc/v3/als.proto#grpc-access-log-service-als">Access Logging Service</a>
integration for TCP traffic.</p>

<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="MeshConfig-ExtensionProvider-EnvoyTcpGrpcV3LogProvider-service">
<td><code>service</code></td>
<td><code>string</code></td>
<td>
<p>REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
The format is <code>[&lt;Namespace&gt;/]&lt;Hostname&gt;</code>. The specification of <code>&lt;Namespace&gt;</code> is required only when it is insufficient
to unambiguously resolve a service in the service registry. The <code>&lt;Hostname&gt;</code> is a fully qualified host name of a
service defined by the Kubernetes service or ServiceEntry.</p>
<p>Example: &ldquo;envoy-als.foo.svc.cluster.local&rdquo; or &ldquo;bar/envoy-als.example.com&rdquo;.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-EnvoyTcpGrpcV3LogProvider-port">
<td><code>port</code></td>
<td><code>uint32</code></td>
<td>
<p>REQUIRED. Specifies the port of the service.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-EnvoyTcpGrpcV3LogProvider-log_name">
<td><code>logName</code></td>
<td><code>string</code></td>
<td>
<p>Optional. The friendly name of the access log.
Defaults:</p>
<ul>
<li>&ldquo;tcp_envoy_accesslog&rdquo;</li>
<li>&ldquo;listener_envoy_accesslog&rdquo;</li>
</ul>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-EnvoyTcpGrpcV3LogProvider-filter_state_objects_to_log">
<td><code>filterStateObjectsToLog</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. Additional filter state objects to log.</p>

</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider">MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProvider</h2>
<section>
<p>Defines configuration for an Envoy <a href="https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto">OpenTelemetry (gRPC) Access Log</a></p>

<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider-service">
<td><code>service</code></td>
<td><code>string</code></td>
<td>
<p>REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
The format is <code>[&lt;Namespace&gt;/]&lt;Hostname&gt;</code>. The specification of <code>&lt;Namespace&gt;</code> is required only when it is insufficient
to unambiguously resolve a service in the service registry. The <code>&lt;Hostname&gt;</code> is a fully qualified host name of a
service defined by the Kubernetes service or ServiceEntry.</p>
<p>Example: &ldquo;envoy-als.foo.svc.cluster.local&rdquo; or &ldquo;bar/envoy-als.example.com&rdquo;.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider-port">
<td><code>port</code></td>
<td><code>uint32</code></td>
<td>
<p>REQUIRED. Specifies the port of the service.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider-log_name">
<td><code>logName</code></td>
<td><code>string</code></td>
<td>
<p>Optional. The friendly name of the access log.
Defaults:</p>
<ul>
<li>&ldquo;otel_envoy_accesslog&rdquo;</li>
</ul>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider-log_format">
<td><code>logFormat</code></td>
<td><code><a href="#MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider-LogFormat">LogFormat</a></code></td>
<td>
<p>Optional. Format for the proxy access log
Empty value results in proxy&rsquo;s default access log format, following Envoy access logging formatting.</p>

</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider">MeshConfig.ExtensionProvider.OpenTelemetryTracingProvider</h2>
<section>
<p>Defines configuration for an OpenTelemetry tracing backend. Istio 1.16.1 or higher is needed.</p>

<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider-service">
<td><code>service</code></td>
<td><code>string</code></td>
<td>
<p>REQUIRED. Specifies the OpenTelemetry endpoint that will receive OTLP traces.
The format is <code>[&lt;Namespace&gt;/]&lt;Hostname&gt;</code>. The specification of <code>&lt;Namespace&gt;</code> is required only when it is insufficient
to unambiguously resolve a service in the service registry. The <code>&lt;Hostname&gt;</code> is a fully qualified host name of a
service defined by the Kubernetes service or ServiceEntry.</p>
<p>Example: &ldquo;otlp.default.svc.cluster.local&rdquo; or &ldquo;bar/otlp.example.com&rdquo;.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider-port">
<td><code>port</code></td>
<td><code>uint32</code></td>
<td>
<p>REQUIRED. Specifies the port of the service.</p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider-max_tag_length">
<td><code>maxTagLength</code></td>
<td><code>uint32</code></td>
<td>
<p>Optional. Controls the overall path length allowed in a reported span.
NOTE: currently only controls max length of the path tag.</p>

</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="MeshConfig-ExtensionProvider-StackdriverProvider-Logging">MeshConfig.ExtensionProvider.StackdriverProvider.Logging</h2>
<section>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="MeshConfig-ExtensionProvider-StackdriverProvider-Logging-labels">
<td><code>labels</code></td>
<td><code>map&lt;string,&nbsp;string&gt;</code></td>
<td>
<p>Collection of tag names and tag expressions to include in the log
entry. Conflicts are resolved by the tag name by overriding previously
supplied values.</p>
<p>Example:
labels:
path: request.url_path
foo: request.headers[&lsquo;x-foo&rsquo;]</p>

</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider-LogFormat">MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider.LogFormat</h2>
<section>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider-LogFormat-text" class="oneof oneof-start">
<td><code>text</code></td>
<td><code>string (oneof)</code></td>
<td>
<p>Textual format for the envoy access logs. Envoy <a href="https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators">command operators</a> may be
used in the format. The <a href="https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings">format string documentation</a>
provides more information.</p>
<p>NOTE: Istio will insert a newline (&rsquo;\n&rsquo;) on all formats (if missing).</p>
<p>Example: <code>text: &quot;%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%&quot;</code></p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider-LogFormat-labels" class="oneof">
<td><code>labels</code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#struct">Struct (oneof)</a></code></td>
<td>
<p>JSON structured format for the envoy access logs. Envoy <a href="https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators">command operators</a>
can be used as values for fields within the Struct. Values are rendered
as strings, numbers, or boolean values, as appropriate
(see: <a href="https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries">format dictionaries</a>). Nested JSON is
supported for some command operators (e.g. <code>FILTER_STATE</code> or <code>DYNAMIC_METADATA</code>).
Use <code>labels: {}</code> for default envoy JSON log format.</p>
<p>Example:</p>
<pre><code>labels:
  status: &quot;%RESPONSE_CODE%&quot;
  message: &quot;%LOCAL_REPLY_BODY%&quot;
</code></pre>

</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider-LogFormat">MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProvider.LogFormat</h2>
<section>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider-LogFormat-text">
<td><code>text</code></td>
<td><code>string</code></td>
<td>
<p>Textual format for the envoy access logs. Envoy <a href="https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators">command operators</a> may be
used in the format. The <a href="https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings">format string documentation</a>
provides more information.
Alias to <code>body</code> filed in <a href="https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto">Open Telemetry</a>
Example: <code>text: &quot;%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%&quot;</code></p>

</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider-LogFormat-labels">
<td><code>labels</code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#struct">Struct</a></code></td>
<td>
<p>Optional. Additional attributes that describe the specific event occurrence.
Structured format for the envoy access logs. Envoy <a href="https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators">command operators</a>
can be used as values for fields within the Struct. Values are rendered
as strings, numbers, or boolean values, as appropriate
(see: <a href="https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries">format dictionaries</a>). Nested JSON is
supported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA).
Alias to <code>attributes</code> filed in <a href="https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto">Open Telemetry</a></p>
<p>Example:</p>
<pre><code>labels:
  status: &quot;%RESPONSE_CODE%&quot;
  message: &quot;%LOCAL_REPLY_BODY%&quot;
</code></pre>

</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="k8s-io-apimachinery-pkg-apis-meta-v1-LabelSelector">k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector</h2>
<section>
<p>A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
+structType=atomic</p>

<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="k8s-io-apimachinery-pkg-apis-meta-v1-LabelSelector-matchLabels">
<td><code>matchLabels</code></td>
<td><code>map&lt;string,&nbsp;string&gt;</code></td>
<td>
<p>matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is &ldquo;key&rdquo;, the
operator is &ldquo;In&rdquo;, and the values array contains only &ldquo;value&rdquo;. The requirements are ANDed.
+optional</p>

</td>
<td>
No
</td>
</tr>
<tr id="k8s-io-apimachinery-pkg-apis-meta-v1-LabelSelector-matchExpressions">
<td><code>matchExpressions</code></td>
<td><code><a href="#k8s-io-apimachinery-pkg-apis-meta-v1-LabelSelectorRequirement">LabelSelectorRequirement[]</a></code></td>
<td>
<p>matchExpressions is a list of label selector requirements. The requirements are ANDed.
+optional</p>

</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Tracing">Tracing</h2>
<section>
<p>Tracing defines configuration for the tracing performed by Envoy instances.</p>

<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Tracing-zipkin" class="oneof oneof-start">
<td><code>zipkin</code></td>
<td><code><a href="#Tracing-Zipkin">Zipkin (oneof)</a></code></td>
<td>
<p>Use a Zipkin tracer.</p>

</td>
<td>
No
</td>
</tr>
<tr id="Tracing-lightstep" class="oneof">
<td><code>lightstep</code></td>
<td><code><a href="#Tracing-Lightstep">Lightstep (oneof)</a></code></td>
<td>
<p>Use a Lightstep tracer.
NOTE: For Istio 1.15+, this configuration option will result
in using OpenTelemetry-based Lightstep integration.</p>

</td>
<td>
No
</td>
</tr>
<tr id="Tracing-datadog" class="oneof">
<td><code>datadog</code></td>
<td><code><a href="#Tracing-Datadog">Datadog (oneof)</a></code></td>
<td>
<p>Use a Datadog tracer.</p>

</td>
<td>
No
</td>
</tr>
<tr id="Tracing-stackdriver" class="oneof">
<td><code>stackdriver</code></td>
<td><code><a href="#Tracing-Stackdriver">Stackdriver (oneof)</a></code></td>
<td>
<p>Use a Stackdriver tracer.</p>

</td>
<td>
No
</td>
</tr>
<tr id="Tracing-open_census_agent" class="oneof">
<td><code>openCensusAgent</code></td>
<td><code><a href="#Tracing-OpenCensusAgent">OpenCensusAgent (oneof)</a></code></td>
<td>
<p>Use an OpenCensus tracer exporting to an OpenCensus agent.</p>

</td>
<td>
No
</td>
</tr>
<tr id="Tracing-sampling">
<td><code>sampling</code></td>
<td><code>double</code></td>
<td>
<p>The percentage of requests (0.0 - 100.0) that will be randomly selected for trace generation,
if not requested by the client or not forced. Default is 1.0.</p>

</td>
<td>
No
</td>
</tr>
<tr id="Tracing-tls_settings">
<td><code>tlsSettings</code></td>
<td><code><a href="https://istio.io/docs/reference/config/networking/destination-rule.html#ClientTLSSettings">ClientTLSSettings</a></code></td>
<td>
<p>Use the tls_settings to specify the tls mode to use. If the remote tracing service
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
mode as <code>ISTIO_MUTUAL</code>.</p>

</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Topology">Topology</h2>
<section>
<p>Topology describes the configuration for relative location of a proxy with
respect to intermediate trusted proxies and the client. These settings
control how the client attributes are retrieved from the incoming traffic by
the gateway proxy and propagated to the upstream services in the cluster.</p>

<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Topology-num_trusted_proxies">
<td><code>numTrustedProxies</code></td>
<td><code>uint32</code></td>
<td>
<p>Number of trusted proxies deployed in front of the Istio gateway proxy.
When this option is set to value N greater than zero, the trusted client
address is assumed to be the Nth address from the right end of the
X-Forwarded-For (XFF) header from the incoming request. If the
X-Forwarded-For (XFF) header is missing or has fewer than N addresses, the
gateway proxy falls back to using the immediate downstream connection&rsquo;s
source address as the trusted client address.
Note that the gateway proxy will append the downstream connection&rsquo;s source
address to the X-Forwarded-For (XFF) address and set the
X-Envoy-External-Address header to the trusted client address before
forwarding it to the upstream services in the cluster.
The default value of num_trusted_proxies is 0.
See [Envoy XFF] (<a href="https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for">https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for</a>)
header handling for more details.</p>

</td>
<td>
No
</td>
</tr>
<tr id="Topology-forward_client_cert_details">
<td><code>forwardClientCertDetails</code></td>
<td><code><a href="#ForwardClientCertDetails">ForwardClientCertDetails</a></code></td>
<td>
<p>Configures how the gateway proxy handles x-forwarded-client-cert (XFCC)
header in the incoming request.</p>

</td>
<td>
No
</td>
</tr>
<tr id="Topology-proxy_protocol">
<td><code>proxyProtocol</code></td>
<td><code><a href="#Topology-ProxyProtocolConfiguration">ProxyProtocolConfiguration</a></code></td>
<td>
<p>Enables <a href="http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt">PROXY protocol</a> for
downstream connections on a gateway.</p>

</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="PrivateKeyProvider">PrivateKeyProvider</h2>
<section>
<p>PrivateKeyProvider defines private key configuration for gateways and sidecars. This can be configured
mesh wide or individual per-workload basis.</p>

<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="PrivateKeyProvider-cryptomb" class="oneof oneof-start">
<td><code>cryptomb</code></td>
<td><code><a href="#PrivateKeyProvider-CryptoMb">CryptoMb (oneof)</a></code></td>
<td>
<p>Use CryptoMb private key provider</p>

</td>
<td>
No
</td>
</tr>
<tr id="PrivateKeyProvider-qat" class="oneof">
<td><code>qat</code></td>
<td><code><a href="#PrivateKeyProvider-QAT">QAT (oneof)</a></code></td>
<td>
<p>Use QAT private key provider</p>

</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="ProxyConfig">ProxyConfig</h2>
<section>
<p>ProxyConfig defines variables for individual Envoy instances. This can be configured on a per-workload basis
as well as by the mesh-wide defaults.
To set the mesh wide defaults, configure the <code>defaultConfig</code> section of <code>meshConfig</code>. For example:</p>
<pre><code>meshConfig:
  defaultConfig:
    discoveryAddress: istiod:15012
</code></pre>
<p>This can also be configured on a per-workload basis by configuring the <code>proxy.istio.io/config</code> annotation on the pod. For example:</p>
<pre><code>annotations:
  proxy.istio.io/config: |
    discoveryAddress: istiod:15012
</code></pre>
<p>If both are configured, the two are merged with per field semantics; the field set in annotation will fully replace the field from mesh config defaults.
This is different than a deep merge provided by protobuf.
For example, <code>&quot;tracing&quot;: { &quot;sampling&quot;: 5 }</code> would completely override a setting configuring a tracing provider
such as <code>&quot;tracing&quot;: { &quot;zipkin&quot;: { &quot;address&quot;: &quot;...&quot; } }</code>.</p>
<p>Note: fields in ProxyConfig are not dynamically configured; changes will require restart of workloads to take effect.</p>

<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="ProxyConfig-config_path">
<td><code>configPath</code></td>
<td><code>string</code></td>
<td>
<p>Path to the generated configuration file directory.
Proxy agent generates the actual configuration and stores it in this directory.</p>

</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-binary_path">
<td><code>binaryPath</code></td>
<td><code>string</code></td>
<td>
<p>Path to the proxy binary</p>

</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-service_cluster" class="oneof oneof-start">
<td><code>serviceCluster</code></td>
<td><code>string (oneof)</code></td>
<td>
<p>Service cluster defines the name for the <code>service_cluster</code> that is
shared by all Envoy instances. This setting corresponds to
<code>--service-cluster</code> flag in Envoy.  In a typical Envoy deployment, the
<code>service-cluster</code> flag is used to identify the caller, for
source-based routing scenarios.</p>
<p>Since Istio does not assign a local <code>service/service</code> version to each
Envoy instance, the name is same for all of them.  However, the
source/caller&rsquo;s identity (e.g., IP address) is encoded in the
<code>--service-node</code> flag when launching Envoy.  When the RDS service
receives API calls from Envoy, it uses the value of the <code>service-node</code>
flag to compute routes that are relative to the service instances
located at that IP address.</p>

</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-tracing_service_name" class="oneof">
<td><code>tracingServiceName</code></td>
<td><code><a href="#ProxyConfig-TracingServiceName">TracingServiceName (oneof)</a></code></td>
<td>
<p>Used by Envoy proxies to assign the values for the service names in trace
spans.</p>

</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-drain_duration">
<td><code>drainDuration</code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">Duration</a></code></td>
<td>
<p>The time in seconds that Envoy will drain connections during a hot
restart. MUST be &gt;=1s (e.g., <em>1s/1m/1h</em>)
Default drain duration is <code>45s</code>.</p>

</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-discovery_address">
<td><code>discoveryAddress</code></td>
<td><code>string</code></td>
<td>
<p>Address of the discovery service exposing xDS with mTLS connection.
The inject configuration may override this value.</p>

</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-statsd_udp_address">
<td><code>statsdUdpAddress</code></td>
<td><code>string</code></td>
<td>
<p>IP Address and Port of a statsd UDP listener (e.g. <code>10.75.241.127:9125</code>).</p>

</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-proxy_admin_port">
<td><code>proxyAdminPort</code></td>
<td><code>int32</code></td>
<td>
<p>Port on which Envoy should listen for administrative commands.
Default port is <code>15000</code>.</p>

</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-control_plane_auth_policy">
<td><code>controlPlaneAuthPolicy</code></td>
<td><code><a href="#AuthenticationPolicy">AuthenticationPolicy</a></code></td>
<td>
<p>AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane.
Default is set to <code>MUTUAL_TLS</code>.</p>

</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-custom_config_file">
<td><code>customConfigFile</code></td>
<td><code>string</code></td>
<td>
<p>File path of custom proxy configuration, currently used by proxies
in front of Mixer and Pilot.</p>

</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-stat_name_length">
<td><code>statNameLength</code></td>
<td><code>int32</code></td>
<td>
<p>Maximum length of name field in Envoy&rsquo;s metrics. The length of the name field
is determined by the length of a name field in a service and the set of labels that
comprise a particular version of the service. The default value is set to 189 characters.
Envoy&rsquo;s internal metrics take up 67 characters, for a total of 256 character name per metric.
Increase the value of this field if you find that the metrics from Envoys are truncated.</p>

</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-concurrency">
<td><code>concurrency</code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#int32value">Int32Value</a></code></td>
<td>
<p>The number of worker threads to run.
If unset, this will be automatically determined based on CPU requests/limits.
If set to 0, all cores on the machine will be used.
Default is 2 worker threads.</p>

</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-proxy_bootstrap_template_path">
<td><code>proxyBootstrapTemplatePath</code></td>
<td><code>string</code></td>
<td>
<p>Path to the proxy bootstrap template file</p>

</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-interception_mode">
<td><code>interceptionMode</code></td>
<td><code><a href="#ProxyConfig-InboundInterceptionMode">InboundInterceptionMode</a></code></td>
<td>
<p>The mode used to redirect inbound traffic to Envoy.</p>

</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-tracing">
<td><code>tracing</code></td>
<td><code><a href="#Tracing">Tracing</a></code></td>
<td>
<p>Tracing configuration to be used by the proxy.</p>

</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-envoy_access_log_service">
<td><code>envoyAccessLogService</code></td>
<td><code><a href="#RemoteService">RemoteService</a></code></td>
<td>
<p>Address of the service to which access logs from Envoys should be
sent. (e.g. <code>accesslog-service:15000</code>). See <a href="https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/accesslog/v2/als.proto">Access Log
Service</a>
for details about Envoy&rsquo;s gRPC Access Log Service API.</p>

</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-envoy_metrics_service">
<td><code>envoyMetricsService</code></td>
<td><code><a href="#RemoteService">RemoteService</a></code></td>
<td>
<p>Address of the Envoy Metrics Service implementation (e.g. <code>metrics-service:15000</code>).
See <a href="https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/metrics/v2/metrics_service.proto">Metric Service</a>
for details about Envoy&rsquo;s Metrics Service API.</p>

</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-proxy_metadata">
<td><code>proxyMetadata</code></td>
<td><code>map&lt;string,&nbsp;string&gt;</code></td>
<td>
<p>Additional environment variables for the proxy.
Names starting with <code>ISTIO_META_</code> will be included in the generated bootstrap and sent to the XDS server.</p>

</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-runtime_values">
<td><code>runtimeValues</code></td>
<td><code>map&lt;string,&nbsp;string&gt;</code></td>
<td>
<p>Envoy <a href="https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/operations/runtime">runtime configuration</a> to set during bootstrapping.
This enables setting experimental, unsafe, unsupported, and deprecated features that should be used with extreme caution.</p>

</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-status_port">
<td><code>statusPort</code></td>
<td><code>int32</code></td>
<td>
<p>Port on which the agent should listen for administrative commands such as readiness probe.
Default is set to port <code>15020</code>.</p>

</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-extra_stat_tags">
<td><code>extraStatTags</code></td>
<td><code>string[]</code></td>
<td>
<p>An additional list of tags to extract from the in-proxy Istio telemetry. These extra tags can be
added by configuring the telemetry extension. Each additional tag needs to be present in this list.
Extra tags emitted by the telemetry extensions must be listed here so that they can be processed
and exposed as Prometheus metrics.</p>

</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-gateway_topology">
<td><code>gatewayTopology</code></td>
<td><code><a href="#Topology">Topology</a></code></td>
<td>
<p>Topology encapsulates the configuration which describes where the proxy is
located i.e. behind a (or N) trusted proxy (proxies) or directly exposed
to the internet. This configuration only effects gateways and is applied
to all the gateways in the cluster unless overridden via annotations of the
gateway workloads.</p>

</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-termination_drain_duration">
<td><code>terminationDrainDuration</code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">Duration</a></code></td>
<td>
<p>The amount of time allowed for connections to complete on proxy shutdown.
On receiving <code>SIGTERM</code> or <code>SIGINT</code>, <code>istio-agent</code> tells the active Envoy to start draining,
preventing any new connections and allowing existing connections to complete. It then
sleeps for the <code>termination_drain_duration</code> and then kills any remaining active Envoy processes.
If not set, a default of <code>5s</code> will be applied.</p>

</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-mesh_id">
<td><code>meshId</code></td>
<td><code>string</code></td>
<td>
<p>The unique identifier for the <a href="https://istio.io/docs/reference/glossary/#service-mesh">service mesh</a>
All control planes running in the same service mesh should specify the same mesh ID.
Mesh ID is used to label telemetry reports for cases where telemetry from multiple meshes is mixed together.</p>

</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-readiness_probe">
<td><code>readinessProbe</code></td>
<td><code><a href="https://istio.io/docs/reference/config/networking/workload-group.html#ReadinessProbe">ReadinessProbe</a></code></td>
<td>
<p>VM Health Checking readiness probe. This health check config exactly mirrors the
kubernetes readiness probe configuration both in schema and logic.
Only one health check method of 3 can be set at a time.</p>

</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-proxy_stats_matcher">
<td><code>proxyStatsMatcher</code></td>
<td><code><a href="#ProxyConfig-ProxyStatsMatcher">ProxyStatsMatcher</a></code></td>
<td>
<p>Proxy stats matcher defines configuration for reporting custom Envoy stats.
To reduce memory and CPU overhead from Envoy stats system, Istio proxies by
default create and expose only a subset of Envoy stats. This option is to
control creation of additional Envoy stats with prefix, suffix, and regex
expressions match on the name of the stats. This replaces the stats
inclusion annotations
(<code>sidecar.istio.io/statsInclusionPrefixes</code>,
<code>sidecar.istio.io/statsInclusionRegexps</code>, and
<code>sidecar.istio.io/statsInclusionSuffixes</code>). For example, to enable stats
for circuit breakers, request retries, upstream connections, and request timeouts,
you can specify stats matcher as follows:</p>
<pre><code class="language-yaml">proxyStatsMatcher:
  inclusionRegexps:
    - .*outlier_detection.*
    - .*upstream_rq_retry.*
    - .*upstream_cx_.*
  inclusionSuffixes:
    - upstream_rq_timeout
</code></pre>
<p>Note including more Envoy stats might increase number of time series
collected by prometheus significantly. Care needs to be taken on Prometheus
resource provision and configuration to reduce cardinality.</p>

</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-hold_application_until_proxy_starts">
<td><code>holdApplicationUntilProxyStarts</code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue">BoolValue</a></code></td>
<td>
<p>Boolean flag for enabling/disabling the holdApplicationUntilProxyStarts behavior.
This feature adds hooks to delay application startup until the pod proxy
is ready to accept traffic, mitigating some startup race conditions.
Default value is &lsquo;false&rsquo;.</p>

</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-ca_certificates_pem">
<td><code>caCertificatesPem</code></td>
<td><code>string[]</code></td>
<td>
<p>The PEM data of the extra root certificates for workload-to-workload communication.
This includes the certificates defined in MeshConfig and any other certificates that Istiod uses as CA.
The plugin certificates (the &lsquo;cacerts&rsquo; secret), self-signed certificates (the &lsquo;istio-ca-secret&rsquo; secret)
are added automatically by Istiod.</p>

</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-image">
<td><code>image</code></td>
<td><code><a href="https://istio.io/docs/reference/config/networking/proxy-config.html#ProxyImage">ProxyImage</a></code></td>
<td>
<p>Specifies the details of the proxy image.</p>

</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-private_key_provider">
<td><code>privateKeyProvider</code></td>
<td><code><a href="#PrivateKeyProvider">PrivateKeyProvider</a></code></td>
<td>
<p>Specifies the details of the Private Key Provider configuration for gateway and sidecar proxies.</p>

</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-proxy_headers">
<td><code>proxyHeaders</code></td>
<td><code><a href="#ProxyConfig-ProxyHeaders">ProxyHeaders</a></code></td>
<td>
<p>Define the set of headers to add/modify for HTTP request/responses.</p>
<p>To enable an optional header, simply set the field. If no specific configuration is required, an empty object (<code>{}</code>) will enable it.
Note: currently all headers are enabled by default.</p>
<p>Below shows an example of customizing the <code>server</code> header and disabling the <code>X-Envoy-Attempt-Count</code> header:</p>
<pre><code class="language-yaml">proxyHeaders:
  server:
    value: &quot;my-custom-server&quot;
  requestId: {} // Explicitly enable Request IDs. As this is the default, this has no effect.
  attemptCount:
    disabled: true
</code></pre>
<p>Some headers are enabled by default, and require explicitly disabling. See below for an example of disabling all default-enabled headers:</p>
<pre><code class="language-yaml">proxyHeaders:
  forwardedClientCert: SANITIZE
  server:
    disabled: true
  requestId:
    disabled: true
  attemptCount:
    disabled: true
  envoyDebugHeaders:
    disabled: true
  metadataExchangeHeaders:
    mode: IN_MESH
</code></pre>

</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-disable_alpn_h2">
<td><code>disableAlpnH2</code></td>
<td><code>bool</code></td>
<td>
<p>Added by ingress
Disable apln h2 protocol for envoy proxy.</p>

</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-zipkin_address" class="deprecated ">
<td><code>zipkinAddress</code></td>
<td><code>string</code></td>
<td>
<p>Address of the Zipkin service (e.g. <em>zipkin:9411</em>).
DEPRECATED: Use <a href="#ProxyConfig-tracing">tracing</a> instead.</p>

</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="RemoteService">RemoteService</h2>
<section>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="RemoteService-address">
<td><code>address</code></td>
<td><code>string</code></td>
<td>
<p>Address of a remove service used for various purposes (access log
receiver, metrics receiver, etc.). Can be IP address or a fully
qualified DNS name.</p>

</td>
<td>
No
</td>
</tr>
<tr id="RemoteService-tls_settings">
<td><code>tlsSettings</code></td>
<td><code><a href="https://istio.io/docs/reference/config/networking/destination-rule.html#ClientTLSSettings">ClientTLSSettings</a></code></td>
<td>
<p>Use the <code>tls_settings</code> to specify the tls mode to use. If the remote service
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
mode as <code>ISTIO_MUTUAL</code>.</p>

</td>
<td>
No
</td>
</tr>
<tr id="RemoteService-tcp_keepalive">
<td><code>tcpKeepalive</code></td>
<td><code><a href="https://istio.io/docs/reference/config/networking/destination-rule.html#ConnectionPoolSettings-TCPSettings-TcpKeepalive">TcpKeepalive</a></code></td>
<td>
<p>If set then set <code>SO_KEEPALIVE</code> on the socket to enable TCP Keepalives.</p>

</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Tracing-Zipkin">Tracing.Zipkin</h2>
<section>
<p>Zipkin defines configuration for a Zipkin tracer.</p>

<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Tracing-Zipkin-address">
<td><code>address</code></td>
<td><code>string</code></td>
<td>
<p>Address of the Zipkin service (e.g. <em>zipkin:9411</em>).</p>

</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Tracing-Datadog">Tracing.Datadog</h2>
<section>
<p>Datadog defines configuration for a Datadog tracer.</p>

<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Tracing-Datadog-address">
<td><code>address</code></td>
<td><code>string</code></td>
<td>
<p>Address of the Datadog Agent.</p>

</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Tracing-Stackdriver">Tracing.Stackdriver</h2>
<section>
<p>Stackdriver defines configuration for a Stackdriver tracer.
See <a href="https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/trace/v3/opencensus.proto">Envoy&rsquo;s OpenCensus trace configuration</a>
and
<a href="https://github.com/census-instrumentation/opencensus-proto/blob/master/src/opencensus/proto/trace/v1/trace_config.proto">OpenCensus trace config</a> for details.</p>

<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
</tbody>
</table>
</section>
<h2 id="Tracing-OpenCensusAgent">Tracing.OpenCensusAgent</h2>
<section>
<p>OpenCensusAgent defines configuration for an OpenCensus tracer writing to
an OpenCensus agent backend. See
<a href="https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/trace/v3/opencensus.proto">Envoy&rsquo;s OpenCensus trace configuration</a>
and
<a href="https://github.com/census-instrumentation/opencensus-proto/blob/master/src/opencensus/proto/trace/v1/trace_config.proto">OpenCensus trace config</a>
for details.</p>

<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Tracing-OpenCensusAgent-address">
<td><code>address</code></td>
<td><code>string</code></td>
<td>
<p>gRPC address for the OpenCensus agent (e.g. dns://authority/host:port or
unix:path). See <a href="https://github.com/grpc/grpc/blob/master/doc/naming.md">gRPC naming
docs</a> for
details.</p>

</td>
<td>
No
</td>
</tr>
<tr id="Tracing-OpenCensusAgent-context">
<td><code>context</code></td>
<td><code><a href="#Tracing-OpenCensusAgent-TraceContext">TraceContext[]</a></code></td>
<td>
<p>Specifies the set of context propagation headers used for distributed
tracing. Default is <code>[&quot;W3C_TRACE_CONTEXT&quot;]</code>. If multiple values are specified,
the proxy will attempt to read each header for each request and will
write all headers.</p>

</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Topology-ProxyProtocolConfiguration">Topology.ProxyProtocolConfiguration</h2>
<section>
<p>PROXY protocol configuration.</p>

</section>
<h2 id="PrivateKeyProvider-CryptoMb">PrivateKeyProvider.CryptoMb</h2>
<section>
<p>CryptoMb PrivateKeyProvider configuration</p>

<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="PrivateKeyProvider-CryptoMb-poll_delay">
<td><code>pollDelay</code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">Duration</a></code></td>
<td>
<p>How long to wait until the per-thread processing queue should be processed. If the processing queue
gets full (eight sign or decrypt requests are received) it is processed immediately.
However, if the queue is not filled before the delay has expired, the requests already in the queue
are processed, even if the queue is not full.
In effect, this value controls the balance between latency and throughput.
The duration needs to be set to a value greater than or equal to 1 millisecond.</p>

</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="PrivateKeyProvider-QAT">PrivateKeyProvider.QAT</h2>
<section>
<p>QAT (QuickAssist Technology) PrivateKeyProvider configuration</p>

<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="PrivateKeyProvider-QAT-poll_delay">
<td><code>pollDelay</code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">Duration</a></code></td>
<td>
<p>How long to wait before polling the hardware accelerator after a request has been submitted there.
Having a small value leads to quicker answers from the hardware but causes more polling loop spins,
leading to potentially larger CPU usage.
The duration needs to be set to a value greater than or equal to 1 millisecond.</p>

</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="ProxyConfig-ProxyStatsMatcher">ProxyConfig.ProxyStatsMatcher</h2>
<section>
<p>Proxy stats name matchers for stats creation. Note this is in addition to
the minimum Envoy stats that Istio generates by default.</p>

<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="ProxyConfig-ProxyStatsMatcher-inclusion_prefixes">
<td><code>inclusionPrefixes</code></td>
<td><code>string[]</code></td>
<td>
<p>Proxy stats name prefix matcher for inclusion.</p>

</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-ProxyStatsMatcher-inclusion_suffixes">
<td><code>inclusionSuffixes</code></td>
<td><code>string[]</code></td>
<td>
<p>Proxy stats name suffix matcher for inclusion.</p>

</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-ProxyStatsMatcher-inclusion_regexps">
<td><code>inclusionRegexps</code></td>
<td><code>string[]</code></td>
<td>
<p>Proxy stats name regexps matcher for inclusion.</p>

</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="ProxyConfig-ProxyHeaders">ProxyConfig.ProxyHeaders</h2>
<section>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="ProxyConfig-ProxyHeaders-forwarded_client_cert">
<td><code>forwardedClientCert</code></td>
<td><code><a href="#ForwardClientCertDetails">ForwardClientCertDetails</a></code></td>
<td>
<p>Controls the <code>X-Forwarded-Client-Cert</code> header for inbound sidecar requests. To set this on gateways, use the <code>Topology</code> setting.
To disable the header, configure either <code>SANITIZE</code> (to always remove the header, if present) or <code>FORWARD_ONLY</code> (to leave the header as-is).
By default, <code>APPEND_FORWARD</code> will be used.</p>

</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-ProxyHeaders-request_id">
<td><code>requestId</code></td>
<td><code><a href="#ProxyConfig-ProxyHeaders-RequestId">RequestId</a></code></td>
<td>
<p>Controls the <code>X-Request-Id</code> header. If enabled, a request ID is generated for each request if one is not already set.
This applies to all types of traffic (inbound, outbound, and gateways).
If disabled, no request ID will be generate for the request. If it is already present, it will be preserved.
Warning: request IDs are a critical component to mesh tracing and logging, so disabling this is not recommended.
This header is enabled by default if not configured.</p>

</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-ProxyHeaders-server">
<td><code>server</code></td>
<td><code><a href="#ProxyConfig-ProxyHeaders-Server">Server</a></code></td>
<td>
<p>Controls the <code>server</code> header. If enabled, the <code>Server: istio-envoy</code> header is set in response headers for inbound traffic (including gateways).
If disabled, the <code>Server</code> header is not modified. If it is already present, it will be preserved.</p>

</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-ProxyHeaders-attempt_count">
<td><code>attemptCount</code></td>
<td><code><a href="#ProxyConfig-ProxyHeaders-AttemptCount">AttemptCount</a></code></td>
<td>
<p>Controls the <code>X-Envoy-Attempt-Count</code> header.
If enabled, this header will be added on outbound request headers (including gateways) that have retries configured.
If disabled, this header will not be set. If it is already present, it will be preserved.
This header is enabled by default if not configured.</p>

</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-ProxyHeaders-envoy_debug_headers">
<td><code>envoyDebugHeaders</code></td>
<td><code><a href="#ProxyConfig-ProxyHeaders-EnvoyDebugHeaders">EnvoyDebugHeaders</a></code></td>
<td>
<p>Controls various <code>X-Envoy-*</code> headers, such as <code>X-Envoy-Overloaded</code> and `X-Envoy-Upstream-Service-Time. If enabled,
these headers will be included.
If disabled, these headers will not be set. If they are already present, they will be preserved.
See the <a href="https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/router/v3/router.proto#envoy-v3-api-field-extensions-filters-http-router-v3-router-suppress-envoy-headers">Envoy documentation</a> for more details.
These headers are enabled by default if not configured.</p>

</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-ProxyHeaders-metadata_exchange_headers">
<td><code>metadataExchangeHeaders</code></td>
<td><code><a href="#ProxyConfig-ProxyHeaders-MetadataExchangeHeaders">MetadataExchangeHeaders</a></code></td>
<td>
<p>Controls Istio metadata exchange headers <code>X-Envoy-Peer-Metadata</code> and <code>X-Envoy-Peer-Metadata-Id</code>.
By default, the behavior is unspecified.
If IN_MESH, these headers will not be appended to outbound requests from sidecars to services not in-mesh.</p>

</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="ProxyConfig-ProxyHeaders-Server">ProxyConfig.ProxyHeaders.Server</h2>
<section>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="ProxyConfig-ProxyHeaders-Server-disabled">
<td><code>disabled</code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue">BoolValue</a></code></td>
<td>
</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-ProxyHeaders-Server-value">
<td><code>value</code></td>
<td><code>string</code></td>
<td>
<p>If set, and the server header is enabled, this value will be set as the server header. By default, <code>istio-envoy</code> will be used.</p>

</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="ProxyConfig-ProxyHeaders-RequestId">ProxyConfig.ProxyHeaders.RequestId</h2>
<section>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="ProxyConfig-ProxyHeaders-RequestId-disabled">
<td><code>disabled</code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue">BoolValue</a></code></td>
<td>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="ProxyConfig-ProxyHeaders-AttemptCount">ProxyConfig.ProxyHeaders.AttemptCount</h2>
<section>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="ProxyConfig-ProxyHeaders-AttemptCount-disabled">
<td><code>disabled</code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue">BoolValue</a></code></td>
<td>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="ProxyConfig-ProxyHeaders-EnvoyDebugHeaders">ProxyConfig.ProxyHeaders.EnvoyDebugHeaders</h2>
<section>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="ProxyConfig-ProxyHeaders-EnvoyDebugHeaders-disabled">
<td><code>disabled</code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue">BoolValue</a></code></td>
<td>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="ProxyConfig-ProxyHeaders-MetadataExchangeHeaders">ProxyConfig.ProxyHeaders.MetadataExchangeHeaders</h2>
<section>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="ProxyConfig-ProxyHeaders-MetadataExchangeHeaders-mode">
<td><code>mode</code></td>
<td><code><a href="#ProxyConfig-ProxyHeaders-MetadataExchangeMode">MetadataExchangeMode</a></code></td>
<td>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Network">Network</h2>
<section>
<p>Network provides information about the endpoints in a routable L3
network. A single routable L3 network can have one or more service
registries. Note that the network has no relation to the locality of the
endpoint. The endpoint locality will be obtained from the service
registry.</p>

<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Network-endpoints">
<td><code>endpoints</code></td>
<td><code><a href="#Network-NetworkEndpoints">NetworkEndpoints[]</a></code></td>
<td>
<p>The list of endpoints in the network (obtained through the
constituent service registries or from CIDR ranges). All endpoints in
the network are directly accessible to one another.</p>

</td>
<td>
Yes
</td>
</tr>
<tr id="Network-gateways">
<td><code>gateways</code></td>
<td><code><a href="#Network-IstioNetworkGateway">IstioNetworkGateway[]</a></code></td>
<td>
<p>Set of gateways associated with the network.</p>

</td>
<td>
Yes
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="MeshNetworks">MeshNetworks</h2>
<section>
<p>MeshNetworks (config map) provides information about the set of networks
inside a mesh and how to route to endpoints in each network. For example</p>
<p>MeshNetworks(file/config map):</p>
<pre><code class="language-yaml">networks:
  network1:
    endpoints:
    - fromRegistry: registry1 #must match kubeconfig name in Kubernetes secret
    - fromCidr: 192.168.100.0/22 #a VM network for example
    gateways:
    - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
      port: 15443
      locality: us-east-1a
    - address: 192.168.100.1
      port: 15443
      locality: us-east-1a
</code></pre>

<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="MeshNetworks-networks">
<td><code>networks</code></td>
<td><code>map&lt;string,&nbsp;<a href="#Network">Network</a>&gt;</code></td>
<td>
<p>The set of networks inside this mesh. Each network should
have a unique name and information about how to infer the endpoints in
the network as well as the gateways associated with the network.</p>

</td>
<td>
Yes
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Network-NetworkEndpoints">Network.NetworkEndpoints</h2>
<section>
<p>NetworkEndpoints describes how the network associated with an endpoint
should be inferred. An endpoint will be assigned to a network based on
the following rules:</p>
<ol>
<li>
<p>Implicitly: If the registry explicitly provides information about
the network to which the endpoint belongs to. In some cases, its
possible to indicate the network associated with the endpoint by
adding the <code>ISTIO_META_NETWORK</code> environment variable to the sidecar.</p>
</li>
<li>
<p>Explicitly:</p>
<p>a. By matching the registry name with one of the &ldquo;fromRegistry&rdquo;
in the mesh config. A &ldquo;from_registry&rdquo; can only be assigned to a
single network.</p>
<p>b. By matching the IP against one of the CIDR ranges in a mesh
config network. The CIDR ranges must not overlap and be assigned to
a single network.</p>
</li>
</ol>
<p>(2) will override (1) if both are present.</p>

<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Network-NetworkEndpoints-from_cidr" class="oneof oneof-start">
<td><code>fromCidr</code></td>
<td><code>string (oneof)</code></td>
<td>
<p>A CIDR range for the set of endpoints in this network. The CIDR
ranges for endpoints from different networks must not overlap.</p>

</td>
<td>
No
</td>
</tr>
<tr id="Network-NetworkEndpoints-from_registry" class="oneof">
<td><code>fromRegistry</code></td>
<td><code>string (oneof)</code></td>
<td>
<p>Add all endpoints from the specified registry into this network.
The names of the registries should correspond to the kubeconfig file name
inside the secret that was used to configure the registry (Kubernetes
multicluster) or supplied by MCP server.</p>

</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Network-IstioNetworkGateway">Network.IstioNetworkGateway</h2>
<section>
<p>The gateway associated with this network. Traffic from remote networks
will arrive at the specified gateway:port. All incoming traffic must
use mTLS.</p>

<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Network-IstioNetworkGateway-registry_service_name" class="oneof oneof-start">
<td><code>registryServiceName</code></td>
<td><code>string (oneof)</code></td>
<td>
<p>A fully qualified domain name of the gateway service.  Pilot will
lookup the service from the service registries in the network and
obtain the endpoint IPs of the gateway from the service
registry. Note that while the service name is a fully qualified
domain name, it need not be resolvable outside the orchestration
platform for the registry. e.g., this could be
istio-ingressgateway.istio-system.svc.cluster.local.</p>

</td>
<td>
No
</td>
</tr>
<tr id="Network-IstioNetworkGateway-address" class="oneof">
<td><code>address</code></td>
<td><code>string (oneof)</code></td>
<td>
<p>IP address or externally resolvable DNS address associated with the gateway.</p>

</td>
<td>
No
</td>
</tr>
<tr id="Network-IstioNetworkGateway-port">
<td><code>port</code></td>
<td><code>uint32</code></td>
<td>
<p>The port associated with the gateway.</p>

</td>
<td>
Yes
</td>
</tr>
<tr id="Network-IstioNetworkGateway-locality">
<td><code>locality</code></td>
<td><code>string</code></td>
<td>
<p>The locality associated with an explicitly specified gateway (i.e. ip)</p>

</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="MeshConfig-OutboundTrafficPolicy-Mode">MeshConfig.OutboundTrafficPolicy.Mode</h2>
<section>
<table class="enum-values">
<thead>
<tr>
<th>Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="MeshConfig-OutboundTrafficPolicy-Mode-REGISTRY_ONLY">
<td><code>REGISTRY_ONLY</code></td>
<td>
<p>outbound traffic will be restricted to services defined in the
service registry as well as those defined through ServiceEntries</p>

</td>
</tr>
<tr id="MeshConfig-OutboundTrafficPolicy-Mode-ALLOW_ANY">
<td><code>ALLOW_ANY</code></td>
<td>
<p>outbound traffic to unknown destinations will be allowed, in case
there are no services or ServiceEntries for the destination port</p>

</td>
</tr>
</tbody>
</table>
</section>
<h2 id="MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-TraceContext">MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider.TraceContext</h2>
<section>
<p>TraceContext selects the context propagation headers used for
distributed tracing.</p>

<table class="enum-values">
<thead>
<tr>
<th>Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-TraceContext-W3C_TRACE_CONTEXT">
<td><code>W3C_TRACE_CONTEXT</code></td>
<td>
<p>Use W3C Trace Context propagation using the <code>traceparent</code> HTTP header.
See the
<a href="https://www.w3.org/TR/trace-context/">Trace Context documentation</a> for details.</p>

</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-TraceContext-GRPC_BIN">
<td><code>GRPC_BIN</code></td>
<td>
<p>Use gRPC binary context propagation using the <code>grpc-trace-bin</code> http header.</p>

</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-TraceContext-CLOUD_TRACE_CONTEXT">
<td><code>CLOUD_TRACE_CONTEXT</code></td>
<td>
<p>Use Cloud Trace context propagation using the
<code>X-Cloud-Trace-Context</code> http header.</p>

</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-TraceContext-B3">
<td><code>B3</code></td>
<td>
<p>Use multi-header B3 context propagation using the <code>X-B3-TraceId</code>,
<code>X-B3-SpanId</code>, and <code>X-B3-Sampled</code> HTTP headers. See
<a href="https://github.com/openzipkin/b3-propagation">B3 header propagation README</a>
for details.</p>

</td>
</tr>
</tbody>
</table>
</section>
<h2 id="MeshConfig-ProxyPathNormalization-NormalizationType">MeshConfig.ProxyPathNormalization.NormalizationType</h2>
<section>
<table class="enum-values">
<thead>
<tr>
<th>Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="MeshConfig-ProxyPathNormalization-NormalizationType-DEFAULT">
<td><code>DEFAULT</code></td>
<td>
<p>Apply default normalizations. Currently, this is BASE.</p>

</td>
</tr>
<tr id="MeshConfig-ProxyPathNormalization-NormalizationType-NONE">
<td><code>NONE</code></td>
<td>
<p>No normalization, paths are used as is.</p>

</td>
</tr>
<tr id="MeshConfig-ProxyPathNormalization-NormalizationType-BASE">
<td><code>BASE</code></td>
<td>
<p>Normalize according to <a href="https://tools.ietf.org/html/rfc3986">RFC 3986</a>.
For Envoy proxies, this is the <a href="https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto.html"><code>normalize_path</code></a> option.
For example, <code>/a/../b</code> normalizes to <code>/b</code>.</p>

</td>
</tr>
<tr id="MeshConfig-ProxyPathNormalization-NormalizationType-MERGE_SLASHES">
<td><code>MERGE_SLASHES</code></td>
<td>
<p>In addition to the <code>BASE</code> normalization, consecutive slashes are also merged.
For example, <code>/a//b</code> normalizes to <code>a/b</code>.</p>

</td>
</tr>
<tr id="MeshConfig-ProxyPathNormalization-NormalizationType-DECODE_AND_MERGE_SLASHES">
<td><code>DECODE_AND_MERGE_SLASHES</code></td>
<td>
<p>In addition to normalization in <code>MERGE_SLASHES</code>, slash characters are UTF-8 decoded (case insensitive) prior to merging.
This means <code>%2F</code>, <code>%2f</code>, <code>%5C</code>, and <code>%5c</code> sequences in the request path will be rewritten to <code>/</code> or <code>\</code>.
For example, <code>/a%2f/b</code> normalizes to <code>a/b</code>.</p>

</td>
</tr>
</tbody>
</table>
</section>
<h2 id="MeshConfig-TLSConfig-TLSProtocol">MeshConfig.TLSConfig.TLSProtocol</h2>
<section>
<p>TLS protocol versions.</p>

<table class="enum-values">
<thead>
<tr>
<th>Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="MeshConfig-TLSConfig-TLSProtocol-TLS_AUTO">
<td><code>TLS_AUTO</code></td>
<td>
<p>Automatically choose the optimal TLS version.</p>

</td>
</tr>
<tr id="MeshConfig-TLSConfig-TLSProtocol-TLSV1_2">
<td><code>TLSV1_2</code></td>
<td>
<p>TLS version 1.2</p>

</td>
</tr>
<tr id="MeshConfig-TLSConfig-TLSProtocol-TLSV1_3">
<td><code>TLSV1_3</code></td>
<td>
<p>TLS version 1.3</p>

</td>
</tr>
</tbody>
</table>
</section>
<h2 id="MeshConfig-IngressControllerMode">MeshConfig.IngressControllerMode</h2>
<section>
<table class="enum-values">
<thead>
<tr>
<th>Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="MeshConfig-IngressControllerMode-UNSPECIFIED">
<td><code>UNSPECIFIED</code></td>
<td>
<p>Unspecified Istio ingress controller.</p>

</td>
</tr>
<tr id="MeshConfig-IngressControllerMode-OFF">
<td><code>OFF</code></td>
<td>
<p>Disables Istio ingress controller.</p>

</td>
</tr>
<tr id="MeshConfig-IngressControllerMode-DEFAULT">
<td><code>DEFAULT</code></td>
<td>
<p>Istio ingress controller will act on ingress resources that do not
contain any annotation or whose annotations match the value
specified in the ingress_class parameter described earlier. Use this
mode if Istio ingress controller will be the default ingress
controller for the entire Kubernetes cluster.</p>

</td>
</tr>
<tr id="MeshConfig-IngressControllerMode-STRICT">
<td><code>STRICT</code></td>
<td>
<p>Istio ingress controller will only act on ingress resources whose
annotations match the value specified in the ingress_class parameter
described earlier. Use this mode if Istio ingress controller will be
a secondary ingress controller (e.g., in addition to a
cloud-provided ingress controller).</p>

</td>
</tr>
</tbody>
</table>
</section>
<h2 id="MeshConfig-AccessLogEncoding">MeshConfig.AccessLogEncoding</h2>
<section>
<table class="enum-values">
<thead>
<tr>
<th>Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="MeshConfig-AccessLogEncoding-TEXT">
<td><code>TEXT</code></td>
<td>
<p>text encoding for the proxy access log</p>

</td>
</tr>
<tr id="MeshConfig-AccessLogEncoding-JSON">
<td><code>JSON</code></td>
<td>
<p>json encoding for the proxy access log</p>

</td>
</tr>
</tbody>
</table>
</section>
<h2 id="MeshConfig-H2UpgradePolicy">MeshConfig.H2UpgradePolicy</h2>
<section>
<p>Default Policy for upgrading http1.1 connections to http2.</p>

<table class="enum-values">
<thead>
<tr>
<th>Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="MeshConfig-H2UpgradePolicy-DO_NOT_UPGRADE">
<td><code>DO_NOT_UPGRADE</code></td>
<td>
<p>Do not upgrade connections to http2.</p>

</td>
</tr>
<tr id="MeshConfig-H2UpgradePolicy-UPGRADE">
<td><code>UPGRADE</code></td>
<td>
<p>Upgrade the connections to http2.</p>

</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Resource">Resource</h2>
<section>
<p>Resource describes the source of configuration</p>

<table class="enum-values">
<thead>
<tr>
<th>Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="Resource-SERVICE_REGISTRY">
<td><code>SERVICE_REGISTRY</code></td>
<td>
<p>Set to only receive service entries that are generated by the platform.
These auto generated service entries are combination of services and endpoints
that are generated by a specific platform e.g. k8</p>

</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Tracing-OpenCensusAgent-TraceContext">Tracing.OpenCensusAgent.TraceContext</h2>
<section>
<p>TraceContext selects the context propagation headers used for
distributed tracing.</p>

<table class="enum-values">
<thead>
<tr>
<th>Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="Tracing-OpenCensusAgent-TraceContext-W3C_TRACE_CONTEXT">
<td><code>W3C_TRACE_CONTEXT</code></td>
<td>
<p>Use W3C Trace Context propagation using the <code>traceparent</code> HTTP header.
See the
<a href="https://www.w3.org/TR/trace-context/">Trace Context documentation</a> for details.</p>

</td>
</tr>
<tr id="Tracing-OpenCensusAgent-TraceContext-GRPC_BIN">
<td><code>GRPC_BIN</code></td>
<td>
<p>Use gRPC binary context propagation using the <code>grpc-trace-bin</code> http header.</p>

</td>
</tr>
<tr id="Tracing-OpenCensusAgent-TraceContext-CLOUD_TRACE_CONTEXT">
<td><code>CLOUD_TRACE_CONTEXT</code></td>
<td>
<p>Use Cloud Trace context propagation using the
<code>X-Cloud-Trace-Context</code> http header.</p>

</td>
</tr>
<tr id="Tracing-OpenCensusAgent-TraceContext-B3">
<td><code>B3</code></td>
<td>
<p>Use multi-header B3 context propagation using the <code>X-B3-TraceId</code>,
<code>X-B3-SpanId</code>, and <code>X-B3-Sampled</code> HTTP headers. See
<a href="https://github.com/openzipkin/b3-propagation">B3 header propagation README</a>
for details.</p>

</td>
</tr>
</tbody>
</table>
</section>
<h2 id="ProxyConfig-ProxyHeaders-MetadataExchangeMode">ProxyConfig.ProxyHeaders.MetadataExchangeMode</h2>
<section>
<table class="enum-values">
<thead>
<tr>
<th>Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="ProxyConfig-ProxyHeaders-MetadataExchangeMode-UNDEFINED">
<td><code>UNDEFINED</code></td>
<td>
<p>Existing Istio behavior for the metadata exchange headers is unchanged.</p>

</td>
</tr>
<tr id="ProxyConfig-ProxyHeaders-MetadataExchangeMode-IN_MESH">
<td><code>IN_MESH</code></td>
<td>
<p>Only append the istio metadata exchange headers for services considered in-mesh.
Traffic is considered in-mesh if it is secured with Istio mutual TLS. This means that <code>MESH_EXTERNAL</code> services, unmatched passthrough traffic, and requests to workloads without Istio enabled will be considered out of mesh.</p>

</td>
</tr>
</tbody>
</table>
</section>
<h2 id="ProxyConfig-TracingServiceName">ProxyConfig.TracingServiceName</h2>
<section>
<p>Allows specification of various Istio-supported naming schemes for the
Envoy <code>service_cluster</code> value. The <code>servce_cluster</code> value is primarily used
by Envoys to provide service names for tracing spans.</p>

<table class="enum-values">
<thead>
<tr>
<th>Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="ProxyConfig-TracingServiceName-APP_LABEL_AND_NAMESPACE">
<td><code>APP_LABEL_AND_NAMESPACE</code></td>
<td>
<p>Default scheme. Uses the <code>app</code> label and workload namespace to construct
a cluster name. If the <code>app</code> label does not exist <code>istio-proxy</code> is used.</p>

</td>
</tr>
<tr id="ProxyConfig-TracingServiceName-CANONICAL_NAME_ONLY">
<td><code>CANONICAL_NAME_ONLY</code></td>
<td>
<p>Uses the canonical name for a workload (<em>excluding namespace</em>).</p>

</td>
</tr>
<tr id="ProxyConfig-TracingServiceName-CANONICAL_NAME_AND_NAMESPACE">
<td><code>CANONICAL_NAME_AND_NAMESPACE</code></td>
<td>
<p>Uses the canonical name and namespace for a workload.</p>

</td>
</tr>
</tbody>
</table>
</section>
<h2 id="ProxyConfig-InboundInterceptionMode">ProxyConfig.InboundInterceptionMode</h2>
<section>
<p>The mode used to redirect inbound traffic to Envoy.
This setting has no effect on outbound traffic: iptables <code>REDIRECT</code> is always used for
outbound connections.</p>

<table class="enum-values">
<thead>
<tr>
<th>Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="ProxyConfig-InboundInterceptionMode-REDIRECT">
<td><code>REDIRECT</code></td>
<td>
<p>The <code>REDIRECT</code> mode uses iptables <code>REDIRECT</code> to <code>NAT</code> and redirect to Envoy. This mode loses
source IP addresses during redirection.</p>

</td>
</tr>
<tr id="ProxyConfig-InboundInterceptionMode-TPROXY">
<td><code>TPROXY</code></td>
<td>
<p>The <code>TPROXY</code> mode uses iptables <code>TPROXY</code> to redirect to Envoy. This mode preserves both the
source and destination IP addresses and ports, so that they can be used for advanced
filtering and manipulation. This mode also configures the sidecar to run with the
<code>CAP_NET_ADMIN</code> capability, which is required to use <code>TPROXY</code>.</p>

</td>
</tr>
<tr id="ProxyConfig-InboundInterceptionMode-NONE">
<td><code>NONE</code></td>
<td>
<p>The <code>NONE</code> mode does not configure redirect to Envoy at all. This is an advanced
configuration that typically requires changes to user applications.</p>

</td>
</tr>
</tbody>
</table>
</section>
<h2 id="AuthenticationPolicy">AuthenticationPolicy</h2>
<section>
<p>AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane.
It can be set for two different scopes, mesh-wide or set on a per-pod basis using the ProxyConfig annotation.
Mesh policy cannot be INHERIT.</p>

<table class="enum-values">
<thead>
<tr>
<th>Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="AuthenticationPolicy-NONE">
<td><code>NONE</code></td>
<td>
<p>Do not encrypt proxy to control plane traffic.</p>

</td>
</tr>
<tr id="AuthenticationPolicy-MUTUAL_TLS">
<td><code>MUTUAL_TLS</code></td>
<td>
<p>Proxy to control plane traffic is wrapped into mutual TLS connections.</p>

</td>
</tr>
<tr id="AuthenticationPolicy-INHERIT">
<td><code>INHERIT</code></td>
<td>
<p>Use the policy defined by the parent scope. Should not be used for mesh
policy.</p>

</td>
</tr>
</tbody>
</table>
</section>
<h2 id="ForwardClientCertDetails">ForwardClientCertDetails</h2>
<section>
<p>ForwardClientCertDetails controls how the x-forwarded-client-cert (XFCC)
header is handled by the gateway proxy.
See <a href="https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/filter/network/http_connection_manager/v2/http_connection_manager.proto#envoy-api-enum-config-filter-network-http-connection-manager-v2-httpconnectionmanager-forwardclientcertdetails">Envoy XFCC</a>
header handling for more details.</p>

<table class="enum-values">
<thead>
<tr>
<th>Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="ForwardClientCertDetails-UNDEFINED">
<td><code>UNDEFINED</code></td>
<td>
<p>Field is not set</p>

</td>
</tr>
<tr id="ForwardClientCertDetails-SANITIZE">
<td><code>SANITIZE</code></td>
<td>
<p>Do not send the XFCC header to the next hop. This is the default value.</p>

</td>
</tr>
<tr id="ForwardClientCertDetails-FORWARD_ONLY">
<td><code>FORWARD_ONLY</code></td>
<td>
<p>When the client connection is mTLS (Mutual TLS), forward the XFCC header
in the request.</p>

</td>
</tr>
<tr id="ForwardClientCertDetails-APPEND_FORWARD">
<td><code>APPEND_FORWARD</code></td>
<td>
<p>When the client connection is mTLS, append the client certificate
information to the request’s XFCC header and forward it.</p>

</td>
</tr>
<tr id="ForwardClientCertDetails-SANITIZE_SET">
<td><code>SANITIZE_SET</code></td>
<td>
<p>When the client connection is mTLS, reset the XFCC header with the client
certificate information and send it to the next hop.</p>

</td>
</tr>
<tr id="ForwardClientCertDetails-ALWAYS_FORWARD_ONLY">
<td><code>ALWAYS_FORWARD_ONLY</code></td>
<td>
<p>Always forward the XFCC header in the request, regardless of whether the
client connection is mTLS.</p>

</td>
</tr>
</tbody>
</table>
</section>
